[Pkg-fedora-ds-maintainers] jessie security update for 389-ds-base
Florian Weimer
fw at deneb.enyo.de
Sun Oct 9 19:51:16 UTC 2016
* Timo Aaltonen:
> On 04.10.2016 10:08, Florian Weimer wrote:
>> We need to release a security update for 389-ds-base:
>>
>> <https://security-tracker.debian.org/tracker/source-package/389-ds-base>
>
> Only CVE-2015-3230 and CVE-2015-1854 apply to 1.3.3.x and CVE-2016-0741
> does not according to
>
> https://fedorahosted.org/389/ticket/48412
Hi Timo,
thanks, I see that Salvatore has already updated the security tracker.
>> Information about individual vulnerabilities and their fixes appears
>> to be difficult to track down.
>
> yes, upstream git history rarely mentions the CVE's, need to dig out the
> ticket numbers from somewhere and compare.
And I don't think it's not even a deliberate attempt at obfuscation.
>> Do you think it would be possible to rebase to a newer upstream
>> version? What kind of actions would needed from the LDAP
>> administrator if we did that?
>
> It's better to just update to 1.3.3.14 which is the latest from that
> branch, and it has fixes to both CVE's that apply to it. There's no
> changes needed from the administrator in this case, and when updating to
> next "major" version the upstream upgrade scripts are run in postinst
> (in sid/stretch at least).
What about CVE-2016-5416? It seems this one requires admin action:
<https://bugzilla.redhat.com/show_bug.cgi?id=1361420#c3>
Could you prepare an update which rebases 389-ds-base to 1.3.3.14 in
jessie?
Thanks,
Florian
More information about the Pkg-fedora-ds-maintainers
mailing list