Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 69e0366f by Salvatore Bonaccorso at 2020-07-17T21:21:03+02:00 Update notes for CVE-2020-15719/openldap In general it looks we might simply consider this a Red Hat specific problem. The issue was disputed upstream of beeing valid, with the comment that the behaviour in libldap conforms with RFC4513 and it is still authoritative for OpenLDAP as RFC6125 does not supersede the rules for verifying service identity provided in specifications for existing application like LDAP's. For details see the comments from Ryan Tandy as raised in <https://bugs.debian.org/965184#10>. It would seem reasonable to not diverge from upstream in Debian unless this problem is considered severe enough. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -195,10 +195,13 @@ CVE-2020-15720 (In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class NOTE: https://github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72 CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a certificate-val ...) - openldap <unfixed> (bug #965184) - NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266 (private) + NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1740070 - NOTE: RedHat/CentOS Patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch - NOTE: Affected file is compiled but Debian openssl uses GnuTLS. + NOTE: RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch + NOTE: OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap + NOTE: behaviour does conform with RFC4513. RFC6125 does not superseed the rules for + NOTE: verifying service identity provided in specifications for existing application + NOTE: protocols published prior to RFC6125, like RFC4513 for LDAP. CVE-2020-15718 (RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation o ...) NOT-FOR-US: RosarioSIS CVE-2020-15717 (RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation o ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e0366f2ae0bdfdfc4898690141afa6410b93f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e0366f2ae0bdfdfc4898690141afa6410b93f1 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
