[openldap] CVE-2012-2668: cipher suite selection by name can be ignored
jvcelak
jvcelak at fedoraproject.org
Wed Jun 27 11:57:17 UTC 2012
commit 904778f62059c96a21cb047f18f02605416d2b1c
Author: Jan Vcelak <jvcelak at redhat.com>
Date: Wed Jun 27 13:55:02 2012 +0200
CVE-2012-2668: cipher suite selection by name can be ignored
Resolves: #825875
openldap-cve-nss-cipher-suite-ignored.patch | 27 +++++++++++++++++++++++++++
openldap.spec | 3 +++
2 files changed, 30 insertions(+), 0 deletions(-)
---
diff --git a/openldap-cve-nss-cipher-suite-ignored.patch b/openldap-cve-nss-cipher-suite-ignored.patch
new file mode 100644
index 0000000..89838f2
--- /dev/null
+++ b/openldap-cve-nss-cipher-suite-ignored.patch
@@ -0,0 +1,27 @@
+MozNSS: cipher suite selection by name may be ignored
+
+Author: Tim Strobell <tim.strobell.ctr at nrl.navy.mil>
+Upstream ITS: #7289
+Upstream commit: 4b6bd2c600a79960409499f43a818aa0ca9fe463
+Resolves: #825875 (CVE-2012-2668)
+
+---
+ libraries/libldap/tls_m.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 4c18360..d71fec7 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -624,7 +624,7 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ } else {
+ for (i=0; i<ciphernum; i++) {
+ if (!strcmp(ciphers_def[i].ossl_name, cipher) &&
+- cipher_list[1] != -1)
++ cipher_list[i] != -1)
+ cipher_list[i] = action;
+ }
+ }
+--
+1.7.10.4
+
diff --git a/openldap.spec b/openldap.spec
index da6b401..a752cc4 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -43,6 +43,7 @@ Patch11: openldap-nss-allow-ca-dbdir-pemfile.patch
Patch12: openldap-tls-unbind-shutdown-order.patch
Patch13: openldap-nss-dont-overwrite-verify-cert-error.patch
Patch14: openldap-nss-clean-memory-for-token-pin.patch
+Patch15: openldap-cve-nss-cipher-suite-ignored.patch
# Fedora specific patches
Patch100: openldap-fedora-systemd.patch
@@ -153,6 +154,7 @@ pushd openldap-%{version}
%patch12 -p1
%patch13 -p1
%patch14 -p1
+%patch15 -p1
%patch100 -p1
@@ -669,6 +671,7 @@ exit 0
- fix: invalid order of TLS shutdown operations (#808464)
- fix: TLS error messages overwriting in tlsm_verify_cert() (#810462)
- fix: reading pin from file can make all TLS connections hang (#829317)
+- CVE-2012-2668: cipher suite selection by name can be ignored (#825875)
* Fri May 18 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.31-2
- fix: nss-tools package is required by the base package, not the server subpackage
More information about the scm-commits
mailing list