[Pkg-fedora-ds-maintainers] jessie security update for 389-ds-base

Florian Weimer fw at deneb.enyo.de
Sun Oct 9 19:51:16 UTC 2016

* Timo Aaltonen:

> On 04.10.2016 10:08, Florian Weimer wrote:
>> We need to release a security update for 389-ds-base:
>>   <https://security-tracker.debian.org/tracker/source-package/389-ds-base>
> Only CVE-2015-3230 and CVE-2015-1854 apply to 1.3.3.x and CVE-2016-0741
> does not according to
> https://fedorahosted.org/389/ticket/48412

Hi Timo,

thanks, I see that Salvatore has already updated the security tracker.

>> Information about individual vulnerabilities and their fixes appears
>> to be difficult to track down.
> yes, upstream git history rarely mentions the CVE's, need to dig out the
> ticket numbers from somewhere and compare.

And I don't think it's not even a deliberate attempt at obfuscation.

>> Do you think it would be possible to rebase to a newer upstream
>> version?  What kind of actions would needed from the LDAP
>> administrator if we did that?
> It's better to just update to which is the latest from that
> branch, and it has fixes to both CVE's that apply to it. There's no
> changes needed from the administrator in this case, and when updating to
> next "major" version the upstream upgrade scripts are run in postinst
> (in sid/stretch at least).

What about CVE-2016-5416?  It seems this one requires admin action:


Could you prepare an update which rebases 389-ds-base to in


More information about the Pkg-fedora-ds-maintainers mailing list