[Pkg-openldap-devel] slapd: dangerous access rule in default config
Luca Bruno
lucab at debian.org
Mon Mar 30 12:16:30 UTC 2015
On Sunday 29 March 2015 16:02:49 Yves-Alexis Perez wrote:
> On sam., 2015-03-28 at 15:40 -0700, Ryan Tandy wrote:
> > Hi! Thanks for picking this up again.
> >
> > On Sat, Mar 28, 2015 at 10:20:45PM +0100, Yves-Alexis Perez wrote:
> > >Sorry for letting this falls through the cracks. I guess we should try
> > >to finish this by pushing a DSA so people are aware of this.
> > >
> > >The patches looks ok, so I think we can proceed with the upload to
> > >security-master. I didn't yet requested a CVE on oss-sec, so I'll do it
> > >right now so we have it for the DSA.
> > >
> > >Any question? Again sorry for the delay.
> >
> > Sounds good. I assume "the patches" means you're ok with including the
> > unrelated CVE fixes I linked a couple of messages ago [1].
> >
> > I'll try to provide an updated and tested debdiff asap after the CVE ID
> > is assigned.
>
> The CVE is CVE-2014-9713, sorry I didn't put you in the loop when
> requesting, but the thread can be found at
> http://www.openwall.com/lists/oss-security/2015/03/28/7 (see also the
> note about upstream documentation).
Thanks, I've update the changelog with CVE reference.
Current package is at
http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/log/?h=wheezy
> You can upload to security-master, I'll check the debdiff there.
I've just pushed the fixed package to security-master.
I picked -2 as a revision as it never existed in our history, it is smaller
than later versions, and I was not sure how to properly reset/version after
previous NMU. I haven't yet tagged this in our git, feel free to suggest a
better one if needed.
Cheers, Luca
--
.''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso)
: :' : The Universal O.S. | lucab (AT) debian.org
`. `'` | GPG Key ID: 0x4F3BBEBF
`- http://www.debian.org | Debian GNU/Linux Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20150330/9250d325/attachment.sig>
More information about the Pkg-openldap-devel
mailing list