Hi Harry,
Thanks for the input.
Could you add more information on this please:
silently switch from a slapd that used openssl to gnutls
I just looked through the launchpad package archive and it looks like we never
had openldap linked against openssl in 12.04 and 14.04. First version of
13:40 strikov rbasak: i did a research on CVE attached to the bug and came to
conclusion that it was attached incorrectly
13:41 strikov rbasak: this CVE is about a different thing and I have no idea
why it was attached
Looking at the CVE details I agree, so unlinking.
** CVE removed:
I plan to change the status of this bug for 12.04 (precise) and 14.04 (trusty)
to Won't Fix.
In this comment I want to explain why I came to this decision.
This bug had CVE-2013-4449 linked to it. I don't think that this CVE is
relevant because the patch proposed in this bug doesn't resolve the
Shell script which reproduces the issue: http://pastebin.ubuntu.com/10712595/
Please run this script only on a disposable instance in the cloud because it
creates and adds ultimately trusted certificate to the target machine.
I was able to reproduce the issue on precise (12.04) and trusty
** Also affects: openldap (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: openldap (Ubuntu Precise)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug
** Changed in: openldap (Ubuntu Precise)
Status: New = In Progress
** Changed in: openldap (Ubuntu Trusty)
Status: New = In Progress
** Changed in: openldap (Ubuntu Precise)
Assignee: (unassigned) = Oleg Strikov (strikov)
** Changed in: openldap (Ubuntu Trusty)
Assignee:
I just now noted the remark above suggesting the remedy to programs
which crash abort when having a string parsing error is to not feed it
strings it doesn't like. I suppose, mutatis mutandis, were the string
one 99 of 100 leave defaulted it could be overlooked. However does
anyone really think
If this were a library used in a game or a bug in a screensaver I could
see letting a formatting error in a string crash abort any program using
the library sit for a year. I'm staggered really to experience this for
a package as widely touted as gnutls, contending to be a replacement for
Well, considering that Ubuntu openldap maintainers consider e.g. CVE-2013-4449
(denial-of-service, 2.4.31 to 2.4.36 are vulnerable) not important enough to
patch
or update to a later openldap version, I expect there to be zero chance of this
bug
to be patched either. It seems that if it does not
The fixed version is not in Ubuntu yet. This crash only happens on
invalid configurations, though; slapd will still refuse to start on such
a configuration. Fix your configuration to be correct, and you won't see
the crash any more.
--
You received this bug notification because you are a member
Kindly notice that the fix mentioned above for .40, was dated not quite
a year ago.
I'm not a ubuntu expert, but I think this page:
https://launchpad.net/ubuntu/+source/openldap
explains the fix mentioned above is not available as a backport for trusty, nor
native in utopic, nor even being
On Wed, Mar 18, 2015 at 06:40:06PM -, Jouko Orava wrote:
rtandy, this is not specific to slapd, but affects all applications that
use libldap2 and gnutls.
Apologies for the lack of context. You're completely correct, but the
message I was replying to was about slapd specifically: he had just
rtandy, this is not specific to slapd, but affects all applications that
use libldap2 and gnutls. Instead of returning a failure at START_TLS,
the library just crashes at a double-free. This makes it difficult to
find the actual problem in services like sssd that crash due to this
bug, although
** Changed in: openldap (Debian)
Status: Confirmed = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1103353
Title:
Invalid GnuTLS cipher suite strings causes
** Changed in: openldap (Debian)
Status: Unknown = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1103353
Title:
Invalid GnuTLS cipher suite strings causes
** Also affects: openldap (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640384
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
Fix committed upstream, will be released in 2.4.40.
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=7350a52adacb5f258925b14d2bc5136c8f4ddd9b
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
The attachment Suggested patch to fix libldap crash with invalid GnuTLS
cipher suite strings of this bug report has been identified as being a
patch. The ubuntu-reviewers team has been subscribed to the bug report
so that they can review the patch. In the event that this is in fact
not a patch
Thank you for taking the time to report this bug and helping to make
Ubuntu better.
Please could you clarify exactly which Ubuntu package versions of
openldap are affected by this bug? Has this been reported and/or fixed
upstream, and if so could you please provide appropriate links? And
could
This bugs affects libldap-2.4.-2, at least versions versions 2.4.28
(2.4.28-1.1ubuntu4) and 2.4.31 (2.4.31-1ubuntu2), when compiled against GnuTLS.
The bug exists in latest openldap.org upstream versions from 2.4.28 to 2.4.33
at least; probably since they switched from custom parsing the cipher
Thank you for your detailed investigation into this. I appreciate the
time you've spent on this.
Marking as medium importance, since a workaround is available (which I
believe is to fix the cipher suite string to something valid, right?)
If the Ubuntu OpenLDAP developers and users can confirm
Correct. The workaround to avoid the crash is to use a strictly valid
GnuTLS cipher suite string, for example NORMAL or SECURE128 or
SECURE192 or SECURE256.
In those rare cases where those existing defaults are not acceptable
(due to security concerns, for example), the minimal search.c program
I
Reported upstream at openldap.org, as Incoming/7500,
https://www.openldap.org/its/index.cgi/Incoming?id=7500
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1103353
Title:
23 matches
Mail list logo
