[email protected] wrote: > Full_Name: Havard Eidnes > Version: 2.4.44 > OS: NetBSD > URL: > Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa) > > > Hi, > > CVE-2015-3276 appears to be unfixed in 2.4.44, and from several > attempts at finding the bug reported in your mailing list archive > I came up empty. So ... The best I've found from this CVE is > RedHat's bugzilla entry at > > https://bugzilla.redhat.com/show_bug.cgi?id=3D1238322 > > which contains a (suggested) patch.
We can integrate a suggested fix if the patch author submits their patch = to=20 our ITS directly. Due to IPR concerns we don't accept or act on 3rd party= =20 patch submissions. > > Summarized: > > The openldap (for NSS) emulation of the openssl cipherstring parsing= code > incorrectly implements the multi-keyword mode. > As a consequence anyone using a combination like: > > ECDH+SHA > > will not get the expected set of ciphers [...] > > (I'm somewhat dismayed that this was apparently not reported upstream > earlier...) > > Best regards, > > - H=C3=A5vard > > > --=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
