Bug 6812

Summary: openldap new security issue CVE-2012-2668
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: Normal CC: bgmilne, bgmilne
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/507105/
Whiteboard: MGA2TOO, MGA1TOO
Source RPM: openldap-2.4.29-2.1.mga2.src.rpm CVE:
Status comment:

David Walser 2012-07-18 00:28:00 CEST

CC: (none) => bgmilne
Whiteboard: (none) => MGA2TOO, MGA1TOO

David Walser 2012-07-18 00:28:10 CEST

CC: (none) => bgmilne

Comment 1 Buchan Milne 2012-07-18 18:33:47 CEST 
Fedora/Red Hat compile OpenLDAP against nss/moznss, while we compile against openssl (because moznss is not yet mature enough for OpenLDAP, and OpenLDAP support for moznss within the limitations of moznss is also not very mature, with Red Hat being about the only user/developer of this support).

Are we sure we are affected?

According to the Red Hat bug, we are not affected:
"It was reported that OpenLDAP, when using the Mozilla NSS backend, would ignore any TLSCipherSuite configuration settings.  When the TLSCipherSuite setting is configured, OpenLDAP would use the default cipher suite, ignoring the setting."
Comment 2 David Walser 2012-07-18 19:00:12 CEST 
Yes, it appears that the tls_m.c that is implicated in most of Fedora's recent changes is used for TLS using MozNSS, so we wouldn't be impacted by them, including the CVE.

The only changes that were to something other than tls_m.c are these ones:

http://pkgs.fedoraproject.org/gitweb/?p=openldap.git;a=commitdiff;h=5172ff7830aa994e8e7b789508018fc37a6b1792

http://pkgs.fedoraproject.org/gitweb/?p=openldap.git;a=commitdiff;h=ac8a31ed532476c66960f896054713d98be3ecf7

http://pkgs.fedoraproject.org/gitweb/?p=openldap.git;a=commitdiff;h=916cbca281e4baf6c4dc6d9e1ac87ef15557146d

So it looks like we don't need to issue a security update.  I don't know how important any issues that might have been solved any the above changes are, so I'll leave that up to you.  In the meantime, we can close this bug as INVALID.
Comment 3 Buchan Milne 2012-07-18 21:14:27 CEST 
(In reply to comment #2)
> Yes, it appears that the tls_m.c that is implicated in most of Fedora's recent
> changes is used for TLS using MozNSS, so we wouldn't be impacted by them,
> including the CVE.
> 
> The only changes that were to something other than tls_m.c are these ones:
> 
> http://pkgs.fedoraproject.org/gitweb/?p=openldap.git;a=commitdiff;h=5172ff7830aa994e8e7b789508018fc37a6b1792

Minor bug-fix. I would prefer to handle a number of other minor bugs as well, either by pushing 2.4.32 or so, or cherry-picking a number of other fixes (such as those related to the new mdb backend).

> http://pkgs.fedoraproject.org/gitweb/?p=openldap.git;a=commitdiff;h=ac8a31ed532476c66960f896054713d98be3ecf7
> 

TLS-related, looks like it may be MozNSS-specific.

> http://pkgs.fedoraproject.org/gitweb/?p=openldap.git;a=commitdiff;h=916cbca281e4baf6c4dc6d9e1ac87ef15557146d

IMHO this looks like fixing the wrong problem (lack of checkpointing in default config, and no means of forcing explicit database recovery during start in RH/Fedora init script/systemd PreExec script), or an issue related to native systemd support, which we don't (yet) provide.

Status: NEW => RESOLVED
Resolution: (none) => INVALID