Fedora has issued an advisory on June 28: http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083890.html The patch is available from Fedora git: http://pkgs.fedoraproject.org/gitweb/?p=openldap.git;a=blob_plain;f=openldap-cve-nss-cipher-suite-ignored.patch;hb=904778f62059c96a21cb047f18f02605416d2b1c Strangely, the upstream commit to fix this was different: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blobdiff;f=libraries/libldap/tls_m.c;h=b608551e4dce051c12c27077ad1686e46c73c8aa;hp=23d843c0ec2c0d8697ad636f641630d3e4305845;hb=2c2bb2e;hpb=3f46f2e0bcc6b4eb3900c6686c26d7d3698a2255 That commit was linked from RedHat bugzilla here: https://bugzilla.redhat.com/show_bug.cgi?id=825875 A bunch of other patches also involving TLS were also added, and those can be found in Fedora git as well: http://pkgs.fedoraproject.org/gitweb/?p=openldap.git Mageia 1 and Mageia 2 are also affected.
CC: (none) => bgmilneWhiteboard: (none) => MGA2TOO, MGA1TOO
CC: (none) => bgmilne
Fedora/Red Hat compile OpenLDAP against nss/moznss, while we compile against openssl (because moznss is not yet mature enough for OpenLDAP, and OpenLDAP support for moznss within the limitations of moznss is also not very mature, with Red Hat being about the only user/developer of this support). Are we sure we are affected? According to the Red Hat bug, we are not affected: "It was reported that OpenLDAP, when using the Mozilla NSS backend, would ignore any TLSCipherSuite configuration settings. When the TLSCipherSuite setting is configured, OpenLDAP would use the default cipher suite, ignoring the setting."
Yes, it appears that the tls_m.c that is implicated in most of Fedora's recent changes is used for TLS using MozNSS, so we wouldn't be impacted by them, including the CVE. The only changes that were to something other than tls_m.c are these ones: http://pkgs.fedoraproject.org/gitweb/?p=openldap.git;a=commitdiff;h=5172ff7830aa994e8e7b789508018fc37a6b1792 http://pkgs.fedoraproject.org/gitweb/?p=openldap.git;a=commitdiff;h=ac8a31ed532476c66960f896054713d98be3ecf7 http://pkgs.fedoraproject.org/gitweb/?p=openldap.git;a=commitdiff;h=916cbca281e4baf6c4dc6d9e1ac87ef15557146d So it looks like we don't need to issue a security update. I don't know how important any issues that might have been solved any the above changes are, so I'll leave that up to you. In the meantime, we can close this bug as INVALID.
(In reply to comment #2) > Yes, it appears that the tls_m.c that is implicated in most of Fedora's recent > changes is used for TLS using MozNSS, so we wouldn't be impacted by them, > including the CVE. > > The only changes that were to something other than tls_m.c are these ones: > > http://pkgs.fedoraproject.org/gitweb/?p=openldap.git;a=commitdiff;h=5172ff7830aa994e8e7b789508018fc37a6b1792 Minor bug-fix. I would prefer to handle a number of other minor bugs as well, either by pushing 2.4.32 or so, or cherry-picking a number of other fixes (such as those related to the new mdb backend). > http://pkgs.fedoraproject.org/gitweb/?p=openldap.git;a=commitdiff;h=ac8a31ed532476c66960f896054713d98be3ecf7 > TLS-related, looks like it may be MozNSS-specific. > http://pkgs.fedoraproject.org/gitweb/?p=openldap.git;a=commitdiff;h=916cbca281e4baf6c4dc6d9e1ac87ef15557146d IMHO this looks like fixing the wrong problem (lack of checkpointing in default config, and no means of forcing explicit database recovery during start in RH/Fedora init script/systemd PreExec script), or an issue related to native systemd support, which we don't (yet) provide.
Status: NEW => RESOLVEDResolution: (none) => INVALID