Your message dated Sun, 1 Aug 2021 20:41:05 +0200
with message-id <[email protected]>
and subject line Re: apache-directory-server: CVE-2021-33900
has caused the Debian Bug report #991614,
regarding apache-directory-server: CVE-2021-33900
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
991614: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991614
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: apache-directory-server
Version: 2.0.0~M24-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.0.0~M24-3
Hi,
The following vulnerability was published for apache-directory-server.
CVE-2021-33900[0]:
| While investigating DIRSTUDIO-1219 it was noticed that configured
| StartTLS encryption was not applied when any SASL authentication
| mechanism (DIGEST-MD5, GSSAPI) was used. While investigating
| DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality
| layer was not applied. This issue affects Apache Directory Studio
| version 2.0.0.v20210213-M16 and prior versions.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-33900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33900
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Hi Markus,
On Sun, Aug 01, 2021 at 05:53:55PM +0200, Salvatore Bonaccorso wrote:
> Hi Markus,
>
> On Sun, Aug 01, 2021 at 05:28:23PM +0200, Markus Koschany wrote:
> > On Wed, 28 Jul 2021 17:44:49 +0200 Salvatore Bonaccorso <[email protected]>
> > wrote:
> >
> > > Hi,
> > >
> > > The following vulnerability was published for apache-directory-server.
> > >
> > > CVE-2021-33900[0]:
> >
> >
> > Hi Salvatore,
> >
> > are you sure CVE-2021-33900 corresponds to apache-directory-server as well?
> > To
> > me it seems the vulnerability is in apache-directory-studio which is a
> > different Apache project
> >
> > https://github.com/apache/directory-studio/
> >
> > We haven't packaged that yet.
>
> I will have a look again (hopefully today) and come back to you again.
> Maybe this was a mistake, so I will recheck.
So aboslutely correct. The issue is in Apache Directory Studio. It
went from a error in tracking initially in 7adc1d9f0406
("CVE-2021-33900/apacheds") in the security-tracker repo, to fixing
the source package name in cff955e4f7e3 ("CVE-2021-33900: Track source
package name apache-directory-server") but without noticing the wrong
source package affected.
So, right, and closing this issue (and corrected along the
security-tracker tracking of CVE-2021-33900).
Regards,
Salvatore
--- End Message ---
