Bug 24076 - openldap new security issue CVE-2017-17740
Summary: openldap new security issue CVE-2017-17740
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Buchan Milne
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on: 25286 26569
Blocks:
  Show dependency treegraph
 
Reported: 2018-12-26 03:32 CET by David Walser
Modified: 2020-05-05 14:37 CEST (History)
2 users (show)

See Also:
Source RPM: openldap-2.4.47-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-12-26 03:32:14 CET 
SUSE has issued an advisory on December 17:
http://lists.suse.com/pipermail/sle-security-updates/2018-December/004970.html

Mageia 6 is also affected.
David Walser 2018-12-26 03:32:20 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-12-26 08:10:41 CET 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => bgmilne

Comment 2 Buchan Milne 2018-12-30 21:20:34 CET 
The crash occurs when using the nops overlay from contrib (which we do ship) with memberof (a supported overlay). The patch from SUSE is for the memberof overlay, but hasn't been submitted upstream.

Since the use of the nops overlay is much less likely than the memberof overlay, I would prefer not to patch the memberof overlay with a patch not reviewed by upstream or well tested (which I personally don't have time for now as I am going away on holiday).

I will try and revisit this when I am back (2nd week of Jan).
Comment 3 David Walser 2019-01-21 03:53:24 CET 
Ping Buchan.
Comment 4 Buchan Milne 2019-01-30 17:22:42 CET 
I would prefer to follow/support upstream here, which would be either:
* drop the nops overlay (quick change, but we would break any users of the nops overlay)
* submit a fix for the nops overlay in https://www.openldap.org/its/index.cgi?findid=8759 (would take a bit longer, but has the better ROI).

The patches other vendors are using seems to be the incorrect fix, and could break other configurations with multiple overlays.

Status: NEW => ASSIGNED

David Walser 2019-06-23 19:17:57 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

David Walser 2019-08-12 01:32:18 CEST

Depends on: (none) => 25286

Comment 5 Buchan Milne 2019-09-05 21:13:59 CEST 
Based on the lack of progress by anyone to provide a correct fix, maybe we shouldn't ship the nops overlay?
Comment 6 David Walser 2019-09-05 23:33:24 CEST 
That sounds reasonable.
Comment 7 David Walser 2019-11-26 23:16:34 CET 
openSUSE has issued an advisory for this on September 24:
https://lists.opensuse.org/opensuse-updates/2019-09/msg00113.html
David Walser 2020-01-14 18:11:56 CET

Status comment: (none) => Can be fixed by dropping the nops overlay

David Walser 2020-04-30 19:31:24 CEST

Depends on: (none) => 26569

Comment 8 Buchan Milne 2020-05-02 10:32:35 CEST 
openldap-2.4.50-1.1.mga7.src.rpm drops the nops overlay.

CC: (none) => bgmilne
Assignee: bgmilne => bugsquad

David Walser 2020-05-02 17:00:36 CEST

Whiteboard: MGA7TOO, MGA6TOO => (none)
Assignee: bugsquad => bgmilne
Version: Cauldron => 7
Status comment: Can be fixed by dropping the nops overlay => (none)

Comment 9 David Walser 2020-05-05 14:37:56 CEST 
Fixed in:
https://advisories.mageia.org/MGASA-2020-0200.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.