The openldap (for NSS) emulation of the openssl cipherstring parsing code incorrectly implements the multi-keyword mode. As a consequence anyone using a combination like: ECDH+SHA will not get the expected set of ciphers ECDH-RSA-RC4-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-AES128-SHA ECDH-RSA-AES256-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-AES256-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA but instead will match DES-CBC-SHA DES-CBC3-SHA RC4-SHA EDH-RSA-DES-CBC-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC-SHA EDH-DSS-DES-CBC3-SHA EXP1024-DES-CBC-SHA EXP1024-RC4-SHA SEED-SHA AES128-SHA AES256-SHA CAMELLIA256-SHA CAMELLIA128-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-RC4-SHA DHE-DSS-AES128-SHA DHE-DSS-AES256-SHA DHE-DSS-CAMELLIA128-SHA DHE-DSS-CAMELLIA256-SHA ECDH-RSA-RC4-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-AES128-SHA ECDH-RSA-AES256-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-AES256-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA Acknowledgements: This issue was discovered by Martin Poole of the Red Hat Software Maintenance Engineering group.
A suggested patch is attached in comment 4.
Created openldap tracking bugs for this issue: Affects: fedora-all [bug 1243517]
Created attachment 1055640 [details] patch against current upstream to provide correct AND logic for multiple-mask keywords
Statement: This issue does not affect the version of openldap package as shipped with Red Hat Enterprise Linux 5.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2131 https://rhn.redhat.com/errata/RHSA-2015-2131.html
Which version of openLdap is affected by this vulnerability and in which version it is fixed ?
(In reply to Ankur Sao from comment #9) > Which version of openLdap is affected by this vulnerability and in which > version it is fixed ? By the looks of it, all versions of openLdap are affected; I know the latest at 2.4.44 is. I tried submitting this bug upstream, but got turned away because of IPR concerns over the rights to the fix, ref. http://www.openldap.org/its/index.cgi?findid=8543 Can someone from RedHat please submit this bugfix to LDAP, because that doesn't appear to have happened... Best regards, - Håvard
Hello, while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE-2015-3276. The CVE page https://access.redhat.com/security/cve/CVE-2015-3276 does not even list RHEL 8. However, the comment 10 above mentions that the fix was rejected upstream. Do we still carry the patch downstream in RHEL 8 (RHEL 8.6 has openldap-2.4.46-16.el8)? Could the CVE page be updated with Red Hat's official statement about this CVE in RHEL 8? Thank you, Jan
This CVE is not applicable to RHEL8 (and later). openldap package went back to using openssl for cryptographic purposes rather than the compatibility shim on top of nss that had the issue.
Great, thanks for the confirmation.
In reply to comment #11: > Could the CVE page be updated with Red Hat's official statement about this CVE in RHEL 8? added statement
Thanks but ... I was more after the short note of why we believe it to be so, similar to Martin's comment 12? It would help us in communication with the external parties.