Debian Bug report logs - #676309
openldap: CVE-2012-2668 does not honor TLSCipherSuite settings

version graph

Package: openldap; Maintainer for openldap is Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>;

Reported by: Henri Salo <henri@nerv.fi>

Date: Wed, 6 Jun 2012 05:03:10 UTC

Severity: important

Tags: security

Found in version 2.4.23-7.2

Done: Henri Salo <henri@nerv.fi>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#676309; Package openldap. (Wed, 06 Jun 2012 05:03:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Wed, 06 Jun 2012 05:03:12 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: openldap: CVE-2012-2668 does not honor TLSCipherSuite settings
Date: Wed, 6 Jun 2012 08:01:38 +0300
Package: openldap
Version: 2.4.23-7.2
Severity: important
Tags: security

https://bugzilla.redhat.com/show_bug.cgi?id=825875
"""
It was reported that OpenLDAP, when using the Mozilla NSS backend, would ignore any TLSCipherSuite configuration settings.  When the TLSCipherSuite setting is configured, OpenLDAP would use the default cipher suite, ignoring the setting.

While the default cipher suite contains some weak ciphers (e.g. MD5-based), it is still not easy to break the encryption to obtain sensitive information.  However, if an administrator wishes to enforce the use of stronger ciphers by overriding the defaults using TLSCipherSuite, they should be able to trust that, when the configuration items is in place, the stronger ciphers are used.  Due to this flaw, that is not the case.
"""

http://www.openldap.org/its/index.cgi?findid=7285
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=2c2bb2e

Please contact me in case you need testers for this issue.

- Henri Salo

-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#676309; Package openldap. (Wed, 06 Jun 2012 06:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Wed, 06 Jun 2012 06:27:06 GMT) Full text and rfc822 format available.

Message #10 received at 676309@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Henri Salo <henri@nerv.fi>, 676309@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#676309: openldap: CVE-2012-2668 does not honor TLSCipherSuite settings
Date: Tue, 5 Jun 2012 23:24:32 -0700
[Message part 1 (text/plain, inline)]
On Wed, Jun 06, 2012 at 08:01:38AM +0300, Henri Salo wrote:
> Package: openldap
> Version: 2.4.23-7.2
> Severity: important
> Tags: security

> https://bugzilla.redhat.com/show_bug.cgi?id=825875
> """
> It was reported that OpenLDAP, when using the Mozilla NSS backend, would
> ignore any TLSCipherSuite configuration settings.  When the TLSCipherSuite
> setting is configured, OpenLDAP would use the default cipher suite,
> ignoring the setting.

OpenLDAP in Debian doesn't use the NSS backend, it uses GnuTLS.  How does
this bug apply to Debian?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#676309; Package openldap. (Wed, 06 Jun 2012 06:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Wed, 06 Jun 2012 06:45:03 GMT) Full text and rfc822 format available.

Message #15 received at 676309@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: 676309@bugs.debian.org
Subject: Bug#676309: openldap: CVE-2012-2668
Date: Wed, 6 Jun 2012 09:41:59 +0300
Then it does not affect Debian. I did not know this detail as I am not the user of this package. I thought it is better to report this issue to get information public. I can add this detail to Debian security tracker and close this bug.

- Henri Salo




Reply sent to Henri Salo <henri@nerv.fi>:
You have taken responsibility. (Wed, 06 Jun 2012 06:45:05 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Wed, 06 Jun 2012 06:45:05 GMT) Full text and rfc822 format available.

Message #20 received at 676309-done@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: 676309-done@bugs.debian.org
Subject: closing issue 676309
Date: Wed, 6 Jun 2012 09:44:14 +0300
Closing this bug-report as per http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676309#10




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 04 Jul 2012 07:34:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 13:17:03 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.