Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in net-nds/openldap |
||||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: net-nds/openldap Package Version: [cpe:/a:openldap:openldap:2.4.38] Advisory: CVE-2014-9713 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2014-9713 CVSS severity score: 4/10.0 Confidence: high Description: The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors. Advisory: CVE-2015-1545 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2015-1545 CVSS severity score: 5/10.0 Confidence: high Description: The deref_parseCtrl function in servers/slapd/overlays/deref.c in OpenLDAP 2.4.13 through 2.4.40 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an empty attribute list in a deref control in a search request.
,
Jan 23 2017
,
Jan 23 2017
Yes - I'll take a look at this when I get to the office today and update the bug later today.
,
Jan 23 2017
In the process of uprev'ing now. But we almost certainly are not impacted though. We build with the minimal use flag so we don't build or install slapd nor it's config files. In addition to the uprev I'm going to mask a few client binaries that currently we do install but don't need.
,
Jan 23 2017
,
Jan 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/df77fdd9f9a1a9f42c66ca30e2d7d269e60726c7 commit df77fdd9f9a1a9f42c66ca30e2d7d269e60726c7 Author: Zentaro Kavanagh <zentaro@google.com> Date: Tue Jan 24 00:14:02 2017 net-nds/openldap: upgrade package to 2.4.44 - Changes keywords to * - Removes unused files TEST=emerges BUG= chromium:681785 Change-Id: I5dbdbc6c6118066e6d2797037f5bffffbe682156 Reviewed-on: https://chromium-review.googlesource.com/431401 Commit-Ready: Zentaro Kavanagh <zentaro@google.com> Tested-by: Zentaro Kavanagh <zentaro@google.com> Reviewed-by: Mike Frysinger <vapier@chromium.org> [rename] https://crrev.com/df77fdd9f9a1a9f42c66ca30e2d7d269e60726c7/net-nds/openldap/openldap-2.4.44.ebuild [delete] https://crrev.com/73f60bce25948415e3954fc82538e3d5ad97a78e/net-nds/openldap/files/openldap-2.4.33-gnutls.patch [modify] https://crrev.com/df77fdd9f9a1a9f42c66ca30e2d7d269e60726c7/net-nds/openldap/Manifest [modify] https://crrev.com/df77fdd9f9a1a9f42c66ca30e2d7d269e60726c7/net-nds/openldap/metadata.xml [add] https://crrev.com/df77fdd9f9a1a9f42c66ca30e2d7d269e60726c7/net-nds/openldap/files/openldap-2.4.42-mdb-unbundle.patch
,
Jan 24 2017
The uprev is done. There is a follow up CL that for extra good measure removes some binaries from the image that we never use - https://chromium-review.googlesource.com/#/c/431568/
,
Feb 8 2017
zentaro: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 8 2017
The package is updated. There is a follow up that pro-actively removes additional unused binaries - but not required to resolve this.
,
Feb 9 2017
,
Feb 11 2017
,
Feb 12 2017
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 15 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 18 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 30 2017
,
Jul 6 2017
bulk Verify of older or not-user-facing Chromad bugs
,
Aug 30
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/ff8d9dba71cef6b0f4002ef9b9cf984ca5a82a52 commit ff8d9dba71cef6b0f4002ef9b9cf984ca5a82a52 Author: Zentaro Kavanagh <zentaro@google.com> Date: Thu Aug 30 04:05:47 2018 Mask unused binaries from net-nds/openldap. BUG= chromium:681785 TEST=emerges and runs Change-Id: I81719ea4dfcad3fd87e5e66b37c0a719d329f628 Reviewed-on: https://chromium-review.googlesource.com/431568 Commit-Ready: Zentaro Kavanagh <zentaro@chromium.org> Tested-by: Zentaro Kavanagh <zentaro@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/ff8d9dba71cef6b0f4002ef9b9cf984ca5a82a52/chromeos/config/env/net-nds/openldap |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kerrnel@chromium.org
, Jan 23 2017Components: OS>Packages
Labels: Security_Impact-Stable M-56 Security_Severity-High
Owner: zentaro@chromium.org
Status: Assigned (was: Untriaged)