[Pkg-fedora-ds-maintainers] jessie security update for 389-ds-base

Timo Aaltonen tjaalton at debian.org
Wed Oct 5 11:48:02 UTC 2016

On 04.10.2016 10:08, Florian Weimer wrote:
> We need to release a security update for 389-ds-base:
>   <https://security-tracker.debian.org/tracker/source-package/389-ds-base>

Only CVE-2015-3230 and CVE-2015-1854 apply to 1.3.3.x and CVE-2016-0741
does not according to


> Information about individual vulnerabilities and their fixes appears
> to be difficult to track down.

yes, upstream git history rarely mentions the CVE's, need to dig out the
ticket numbers from somewhere and compare.

> Do you think it would be possible to rebase to a newer upstream
> version?  What kind of actions would needed from the LDAP
> administrator if we did that?

It's better to just update to which is the latest from that
branch, and it has fixes to both CVE's that apply to it. There's no
changes needed from the administrator in this case, and when updating to
next "major" version the upstream upgrade scripts are run in postinst
(in sid/stretch at least).

> What's the difference between the 1.3.4 and 1.3.5?  Do you have
> information about upstream support life-cycles?

New features, though I haven't actually looked into them in detail. I'll
update 389-ds-base to 1.3.5.x for stretch, because freeipa 4.4 needs it.


More information about the Pkg-fedora-ds-maintainers mailing list