2015-02-24 1:36 GMT+01:00 Howard Chu hyc@symas.com:
Clément OUDOT wrote:
Hi,
I saw today two CVE on OpenLDAP:
http://vigilance.fr/vulnerability/OpenLDAP-NULL-pointer-dereference-via-dere...
http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-Matched-Values...
Don't know if they are reported in some ITS.
That's because you're reading 2nd or 3rd-hand reports. Read the actual CVEs and you'll see that relevant ITSs already linked.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546
Given that the deref overlay isn't even documented and is probably used by only a handful of OpenLDAP developers I don't believe it even merited a CVE record.
Agreed for the deref CVE, but I confirm that the matched values bug is present in 2.4.40 official version (and so in LTB packages). I saw that 2.4.41 was in preparation, any idea of a release date?
Clément.