Hide Forgot
The openldap (for NSS) emulation of the openssl cipherstring parsing code incorrectly implements the multi-keyword mode. As a consequence anyone using a combination like: ECDH+SHA will not get the expected set of ciphers ECDH-RSA-RC4-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-AES128-SHA ECDH-RSA-AES256-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-AES256-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA but instead will match DES-CBC-SHA DES-CBC3-SHA RC4-SHA EDH-RSA-DES-CBC-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC-SHA EDH-DSS-DES-CBC3-SHA EXP1024-DES-CBC-SHA EXP1024-RC4-SHA SEED-SHA AES128-SHA AES256-SHA CAMELLIA256-SHA CAMELLIA128-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-RC4-SHA DHE-DSS-AES128-SHA DHE-DSS-AES256-SHA DHE-DSS-CAMELLIA128-SHA DHE-DSS-CAMELLIA256-SHA ECDH-RSA-RC4-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-AES128-SHA ECDH-RSA-AES256-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-AES256-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA Acknowledgements: This issue was discovered by Martin Poole of the Red Hat Software Maintenance Engineering group.
A suggested patch is attached in comment 4.
Created openldap tracking bugs for this issue: Affects: fedora-all [bug 1243517]
Created attachment 1055640 [details] patch against current upstream to provide correct AND logic for multiple-mask keywords
Statement: This issue does not affect the version of openldap package as shipped with Red Hat Enterprise Linux 5.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2131 https://rhn.redhat.com/errata/RHSA-2015-2131.html
Which version of openLdap is affected by this vulnerability and in which version it is fixed ?
(In reply to Ankur Sao from comment #9) > Which version of openLdap is affected by this vulnerability and in which > version it is fixed ? By the looks of it, all versions of openLdap are affected; I know the latest at 2.4.44 is. I tried submitting this bug upstream, but got turned away because of IPR concerns over the rights to the fix, ref. http://www.openldap.org/its/index.cgi?findid=8543 Can someone from RedHat please submit this bugfix to LDAP, because that doesn't appear to have happened... Best regards, - Håvard