he@NetBSD.org wrote:
Full_Name: Havard Eidnes Version: 2.4.44 OS: NetBSD URL: Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa)
Hi,
CVE-2015-3276 appears to be unfixed in 2.4.44, and from several attempts at finding the bug reported in your mailing list archive I came up empty. So ... The best I've found from this CVE is RedHat's bugzilla entry at
https://bugzilla.redhat.com/show_bug.cgi?id=3D1238322
which contains a (suggested) patch.
We can integrate a suggested fix if the patch author submits their patch = to=20 our ITS directly. Due to IPR concerns we don't accept or act on 3rd party= =20 patch submissions.
Summarized:
The openldap (for NSS) emulation of the openssl cipherstring parsing=
code
incorrectly implements the multi-keyword mode. As a consequence anyone using a combination like:
ECDH+SHAwill not get the expected set of ciphers [...]
(I'm somewhat dismayed that this was apparently not reported upstream earlier...)
Best regards,
- H=C3=A5vard
--=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
-
hyc@symas.com