Hi, Thanks for working on fixing issues in stable.
On Mon, 2011-03-28 at 22:41 +0200, Matthijs Möhlmann wrote: > According to bug #617606 there are currently 2 CVE's open. > CVE-2011-1024: [...] > CVE-2011-1025: These look okay, although it doesn't appear that they've been resolved in unstable yet? If so, that really should be done first. Once the patches have been tested in unstable, we can then look again at applying them to stable. > CVE-2011-1081: > modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to > cause a denial of service (daemon crash) via a relative Distinguished Name > (DN) modification request (aka MODRDN operation) that contains an empty value > for the OldDN field. > Fix: > http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/modrdn.c.diff?hideattic=1&r1=text&tr1=1.181&r2=text&tr2=1.182&f=c > Impact: High, possibility to remotely crash slapd. The security tracker indicates that this CVE hasn't yet been checked for its applicability to and impact on Debian. Have you confirmed with the security team that they don't wish to handle this? > Then we have a possible database corruption (introduced by patch > service-operational-before-detach (debian specific)) > Fix: > http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=service-operational-before-detach;att=1;bug=616164 > Above fix is the new patch for service-operational-before-detach. Looking at the upstream commits, should servers/slapd/main.c r1.279 be included here? As with the earlier patches, this should also be tested in unstable before being applied to stable. Regards, Adam -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
