Bug 24076

Summary: openldap new security issue CVE-2017-17740
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Buchan Milne <bgmilne>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: bgmilne, marja11
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: openldap-2.4.47-1.mga7.src.rpm CVE:
Status comment:
Bug Depends on: 25286, 26569    
Bug Blocks:    

Description David Walser 2018-12-26 03:32:14 CET 
SUSE has issued an advisory on December 17:
http://lists.suse.com/pipermail/sle-security-updates/2018-December/004970.html

Mageia 6 is also affected.
David Walser 2018-12-26 03:32:20 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-12-26 08:10:41 CET 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => bgmilne

Comment 2 Buchan Milne 2018-12-30 21:20:34 CET 
The crash occurs when using the nops overlay from contrib (which we do ship) with memberof (a supported overlay). The patch from SUSE is for the memberof overlay, but hasn't been submitted upstream.

Since the use of the nops overlay is much less likely than the memberof overlay, I would prefer not to patch the memberof overlay with a patch not reviewed by upstream or well tested (which I personally don't have time for now as I am going away on holiday).

I will try and revisit this when I am back (2nd week of Jan).
Comment 3 David Walser 2019-01-21 03:53:24 CET 
Ping Buchan.
Comment 4 Buchan Milne 2019-01-30 17:22:42 CET 
I would prefer to follow/support upstream here, which would be either:
* drop the nops overlay (quick change, but we would break any users of the nops overlay)
* submit a fix for the nops overlay in https://www.openldap.org/its/index.cgi?findid=8759 (would take a bit longer, but has the better ROI).

The patches other vendors are using seems to be the incorrect fix, and could break other configurations with multiple overlays.

Status: NEW => ASSIGNED

David Walser 2019-06-23 19:17:57 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

David Walser 2019-08-12 01:32:18 CEST

Depends on: (none) => 25286

Comment 5 Buchan Milne 2019-09-05 21:13:59 CEST 
Based on the lack of progress by anyone to provide a correct fix, maybe we shouldn't ship the nops overlay?
Comment 6 David Walser 2019-09-05 23:33:24 CEST 
That sounds reasonable.
Comment 7 David Walser 2019-11-26 23:16:34 CET 
openSUSE has issued an advisory for this on September 24:
https://lists.opensuse.org/opensuse-updates/2019-09/msg00113.html
David Walser 2020-01-14 18:11:56 CET

Status comment: (none) => Can be fixed by dropping the nops overlay

David Walser 2020-04-30 19:31:24 CEST

Depends on: (none) => 26569

Comment 8 Buchan Milne 2020-05-02 10:32:35 CEST 
openldap-2.4.50-1.1.mga7.src.rpm drops the nops overlay.

CC: (none) => bgmilne
Assignee: bgmilne => bugsquad

David Walser 2020-05-02 17:00:36 CEST

Whiteboard: MGA7TOO, MGA6TOO => (none)
Assignee: bugsquad => bgmilne
Version: Cauldron => 7
Status comment: Can be fixed by dropping the nops overlay => (none)

Comment 9 David Walser 2020-05-05 14:37:56 CEST 
Fixed in:
https://advisories.mageia.org/MGASA-2020-0200.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED