[Pkg-fedora-ds-maintainers] jessie security update for 389-ds-base
fw at deneb.enyo.de
Sun Oct 9 19:51:16 UTC 2016
* Timo Aaltonen:
> On 04.10.2016 10:08, Florian Weimer wrote:
>> We need to release a security update for 389-ds-base:
> Only CVE-2015-3230 and CVE-2015-1854 apply to 1.3.3.x and CVE-2016-0741
> does not according to
thanks, I see that Salvatore has already updated the security tracker.
>> Information about individual vulnerabilities and their fixes appears
>> to be difficult to track down.
> yes, upstream git history rarely mentions the CVE's, need to dig out the
> ticket numbers from somewhere and compare.
And I don't think it's not even a deliberate attempt at obfuscation.
>> Do you think it would be possible to rebase to a newer upstream
>> version? What kind of actions would needed from the LDAP
>> administrator if we did that?
> It's better to just update to 22.214.171.124 which is the latest from that
> branch, and it has fixes to both CVE's that apply to it. There's no
> changes needed from the administrator in this case, and when updating to
> next "major" version the upstream upgrade scripts are run in postinst
> (in sid/stretch at least).
What about CVE-2016-5416? It seems this one requires admin action:
Could you prepare an update which rebases 389-ds-base to 126.96.36.199 in
More information about the Pkg-fedora-ds-maintainers