RE: SHA-256 Password Support and OpenLDAP2-2.4.46 SLES15SP2
On 3/23/21 8:02 AM, Ulrich Windl wrote:
>>> Quanah Gibson-Mount <quanah(a)symas.com> schrieb am
22.03.2021 um 16:08 in
Nachricht <0F2233BBFC3A030E35FD7AD5(a)[192.168.1.156]>:
> --On Monday, March 22, 2021 8:20 AM +0000 Dario García Díaz-Miguel
> <dgdiaz(a)gmv.com> wrote:
>> Thank you, appreciated. But as I told you, we are not allowed to use any
>> external source that is not included and audited previously by a special
>> security entity.
>
> Given there have been a number of security and remote crasher issues fixed
> since that release, one would have to seriously question the efficacy of
> company's system.
To be fair, one should add that SUSE is backporting security fixes to their
version.
While I sometimes backport patches not yet released in 2.4.x series I
think backport patching imposes higher risks and should generally be
avoided for various reasons.
It's also not clear to me how closely SUSE maintainers are monitoring
upstream changes or whether backport patches are only added in case a
SUSE customer sent in a suffcientely specific support request. They will
definitely add a patch for a security issue with CVE-Ids assigned, but
not everyone had one.
Moreover at least one customer-fix patch, also added to openSUSE
package, was so obscure that I've branched openSUSE package openldap2
and maintain that without obscure backport patches.
BTW: You can check how package openldap2 is built for upcoming SLE15SP3
in the openSUSE Leap 15.3 repo because both will be binary-compatible
from that version on:
https://build.opensuse.org/package/show/openSUSE:Leap:15.3/openldap2
Ciao, Michael.