On Mar 28, 2011, at 11:36 PM, Adam D. Barratt wrote: > Hi, > > Thanks for working on fixing issues in stable. > > On Mon, 2011-03-28 at 22:41 +0200, Matthijs Möhlmann wrote: >> According to bug #617606 there are currently 2 CVE's open. >> CVE-2011-1024: > [...] >> CVE-2011-1025: > > These look okay, although it doesn't appear that they've been resolved > in unstable yet? If so, that really should be done first. Once the > patches have been tested in unstable, we can then look again at applying > them to stable. > >> CVE-2011-1081: >> modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to >> cause a denial of service (daemon crash) via a relative Distinguished Name >> (DN) modification request (aka MODRDN operation) that contains an empty >> value for the OldDN field. >> Fix: >> http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/modrdn.c.diff?hideattic=1&r1=text&tr1=1.181&r2=text&tr2=1.182&f=c >> Impact: High, possibility to remotely crash slapd. > > The security tracker indicates that this CVE hasn't yet been checked for > its applicability to and impact on Debian. Have you confirmed with the > security team that they don't wish to handle this? >
No I havent confirmed with the security team. I'll file a ticket in their bug tracking and then they can decide what to do. As suggested by Michael Gilbert. >> Then we have a possible database corruption (introduced by patch >> service-operational-before-detach (debian specific)) >> Fix: >> http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=service-operational-before-detach;att=1;bug=616164 >> Above fix is the new patch for service-operational-before-detach. > > Looking at the upstream commits, should servers/slapd/main.c r1.279 be > included here? As with the earlier patches, this should also be tested > in unstable before being applied to stable. > > Regards, > > Adam You are right, I shouldn't blindly copy patches. Thanks for the notice. Regards, Matthijs Möhlmann -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/0768c501-d485-46b5-8d34-ca8be419e...@cacholong.nl