Hi Team,
We are currently using OpenLDAP version 2.4.57 in which vulnerability CVE-2023-2953 was not there. We are planning to upgrade to OpenLDAP-2.6.4 however in this version we found CVE-2023-2953 in our scanning, can you please help in understanding why this vulnerability is opened in latest release.
In which release we can expect this vulnerability to get resolved?
Appreciate your earliest response.
Regards, Sahil
--On Thursday, June 15, 2023 11:34 AM +0000 Sahil Sharma D sahil.d.sharma@ericsson.com wrote:
Hi Team,
We are currently using OpenLDAP version 2.4.57 in which vulnerability CVE-2023-2953 was not there.
We are planning to upgrade to OpenLDAP-2.6.4 however in this version we found CVE-2023-2953 in our scanning, can you please help in understanding why this vulnerability is opened in latest release.
The real issue is that anyone can file a CVE, even against unused code, as was noted in the ITS. The code in question will be fixed in 2.6.5 and 2.5.15, however, again, it's for an unused historic deprecated function. So is it *really* a vulnerability?
--Quanah
--On Thursday, June 15, 2023 8:00 AM -0700 Quanah Gibson-Mount quanah@fast-mail.org wrote:
--On Thursday, June 15, 2023 11:34 AM +0000 Sahil Sharma D sahil.d.sharma@ericsson.com wrote:
Hi Team,
We are currently using OpenLDAP version 2.4.57 in which vulnerability CVE-2023-2953 was not there.
We are planning to upgrade to OpenLDAP-2.6.4 however in this version we found CVE-2023-2953 in our scanning, can you please help in understanding why this vulnerability is opened in latest release.
The real issue is that anyone can file a CVE, even against unused code, as was noted in the ITS. The code in question will be fixed in 2.6.5 and 2.5.15, however, again, it's for an unused historic deprecated function. So is it *really* a vulnerability?
Hi,
Sorry, I put in the wrong releases. It was fixed in both 2.5.14 and 2.6.4. I'd guess that your vulnerability scanner is incorrect, that often happens. But as I noted, it's for an unused deprecated function.
Regards, Quanah
openldap-technical@openldap.org