Matthijs Möhlmann <matth...@cacholong.nl> schrieb: > On Mar 28, 2011, at 11:36 PM, Adam D. Barratt wrote: > >> Hi, >> >> Thanks for working on fixing issues in stable. >> >> On Mon, 2011-03-28 at 22:41 +0200, Matthijs Möhlmann wrote: >>> According to bug #617606 there are currently 2 CVE's open. >>> CVE-2011-1024: >> [...] >>> CVE-2011-1025: >> >> These look okay, although it doesn't appear that they've been resolved >> in unstable yet? If so, that really should be done first. Once the >> patches have been tested in unstable, we can then look again at applying >> them to stable. >> >>> CVE-2011-1081: >>> modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers >>> to cause a denial of service (daemon crash) via a relative Distinguished >>> Name (DN) modification request (aka MODRDN operation) that contains an >>> empty value for the OldDN field. >>> Fix: >>> http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/modrdn.c.diff?hideattic=1&r1=text&tr1=1.181&r2=text&tr2=1.182&f=c >>> Impact: High, possibility to remotely crash slapd. >> >> The security tracker indicates that this CVE hasn't yet been checked for >> its applicability to and impact on Debian. Have you confirmed with the >> security team that they don't wish to handle this? >> > > No I havent confirmed with the security team. I'll file a ticket in their bug > tracking and then they can decide what to do. As suggested by Michael Gilbert.
Please proceed with a stable point update. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnip4mli.dpd....@inutil.org