Antw: [EXT] RE: SHA-256 Password Support and OpenLDAP2-2.4.46 SLES15SP2
>> Quanah Gibson-Mount <quanah(a)symas.com> schrieb am
22.03.2021 um 16:08 in
Nachricht <0F2233BBFC3A030E35FD7AD5(a)[192.168.1.156]>:
--On Monday, March 22, 2021 8:20 AM +0000 Dario García Díaz-Miguel
<dgdiaz(a)gmv.com> wrote:
>
> Thank you, appreciated. But as I told you, we are not allowed to use any
> external source that is not included and audited previously by a special
> security entity.
Given there have been a number of security and remote crasher issues fixed
since that release, one would have to seriously question the efficacy of
company's system.
To be fair, one should add that SUSE is backporting security fixes to their
version. For example for the most recent update:
- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
X.509 DN parsing in decode.c ber_next_element, resulting in denial
of service.
* 0218-ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
parsing in ad_keystring, resulting in denial of service.
* 0220-ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
in the Certificate List Exact Assertion processing, resulting in
denial of service.
* 0221-ITS-9427-fix-issuerAndThisUpdateCheck.patch
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
cancel_extop Cancel operation, resulting in denial of service.
* 0222-ITS-9428-fix-cancel-exop.patch
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
saslAuthzTo processing, resulting in denial of service.
* 0216-ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
in the saslAuthzTo processing, resulting in denial of service.
* 0215-ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch
* 0214-ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
crash in the saslAuthzTo processing, resulting in denial of service.
* 0217-ITS-9413-fix-slap_parse_user.patch
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
saslAuthzTo validation, resulting in denial of service.
* 0211-ITS-9406-9407-remove-saslauthz-asserts.patch
* 0212-ITS-9406-fix-debug-msg.patch
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
Assertion processing, resulting in denial of service (schema_init.c
serialNumberAndIssuerCheck).
* 0210-ITS-9404-fix-serialNumberAndIssuerCheck.patch
* 0219-ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
control handling, resulting in denial of service (double free and
out-of-bounds read).
* 0213-ITS-9408-fix-vrfilter-double-free.patch
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>