rtandy, this is not specific to slapd, but affects all applications that use libldap2 and gnutls. Instead of returning a failure at START_TLS, the library just crashes at a double-free. This makes it difficult to find the actual problem in services like sssd that crash due to this bug, although the root cause is a simple configuration mistake. (gnutls cipherspecs are notoriously complicated, and very easy to get wrong. Crashing in such a case is, and should be considered, a serious bug. There is nothing an application can do to mitigate this.)
Attached is a backported patch from 2.4.40 to current Debian/Ubuntu source package. I applied this to 2.4.31-1+nmu2ubuntu8, added a dummy changelog entry, and recompiled the package. The changes are localized and safe, should apply cleanly to other versions too. The patched library no longer crashes: this fixes the bug. In other words, this is a trivial bug for the Debian/Ubuntu openldap maintainers to fix, if they saw the bug serious enough to fix. ** Patch added: "Debian/Ubuntu source package patch, backported from 2.4.40" https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+attachment/4349163/+files/openldap-2.4.31-gnutls-backport.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1103353 Title: Invalid GnuTLS cipher suite strings causes libldap to crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1103353/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
