2015-02-24 1:36 GMT+01:00 Howard Chu <[email protected]>: > Clément OUDOT wrote: >> >> Hi, >> >> I saw today two CVE on OpenLDAP: >> * >> http://vigilance.fr/vulnerability/OpenLDAP-NULL-pointer-dereference-via-deref-16124 >> * >> http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-Matched-Values-16125 >> >> Don't know if they are reported in some ITS. > > > That's because you're reading 2nd or 3rd-hand reports. Read the actual CVEs > and you'll see that relevant ITSs already linked. > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546 > > Given that the deref overlay isn't even documented and is probably used by > only a handful of OpenLDAP developers I don't believe it even merited a CVE > record.
Agreed for the deref CVE, but I confirm that the matched values bug is present in 2.4.40 official version (and so in LTB packages). I saw that 2.4.41 was in preparation, any idea of a release date? Clément.
