--On Tuesday, December 13, 2016 10:44 AM +0000 hyc@symas.com wrote:
he@NetBSD.org wrote:
Full_Name: Havard Eidnes Version: 2.4.44 OS: NetBSD URL: Submission from: (NULL) (2001:700:1:0:eeb1:d7ff:fe59:fbaa)
Hi,
CVE-2015-3276 appears to be unfixed in 2.4.44, and from several attempts at finding the bug reported in your mailing list archive I came up empty. So ... The best I've found from this CVE is RedHat's bugzilla entry at
https://bugzilla.redhat.com/show_bug.cgi?id=3D1238322
which contains a (suggested) patch.
We can integrate a suggested fix if the patch author submits their patch = to=20 our ITS directly. Due to IPR concerns we don't accept or act on 3rd party= =20 patch submissions.
I would also note that MozNSS is not an officially supported TLS library for OpenLDAP, and the hack that was added for 2.4 will be removed in the future (likely OpenLDAP 2.5 and later). End administrators should generally avoid MozNSS entirely.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
-
quanah@symas.com