From 24e387aaf78bc0f68a46abb1fab3a76364804bd1 Mon Sep 17 00:00:00 2001
From: Li Wang
Date: Wed, 14 Sep 2016 02:25:32 -0400
Subject: openldap: fix CVE-2015-3276
the patch comes from:
https://bugzilla.redhat.com/show_bug.cgi?id=1238322
https://bugzilla.redhat.com/attachment.cgi?id=1055640
The nss_parse_ciphers function in libraries/libldap/tls_m.c in
OpenLDAP does not properly parse OpenSSL-style multi-keyword mode
cipher strings, which might cause a weaker than intended cipher to
be used and allow remote attackers to have unspecified impact via
unknown vectors.
Signed-off-by: Li Wang
Signed-off-by: Wenzong Fan
Signed-off-by: Martin Jansa
---
.../openldap/openldap/openldap-CVE-2015-3276.patch | 59 ++++++++++++++++++++++
.../recipes-support/openldap/openldap_2.4.44.bb | 1 +
2 files changed, 60 insertions(+)
create mode 100644 meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
(limited to 'meta-oe/recipes-support/openldap')
diff --git a/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
new file mode 100644
index 0000000000..de9ca528a2
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch
@@ -0,0 +1,59 @@
+openldap CVE-2015-3276
+
+the patch comes from:
+https://bugzilla.redhat.com/show_bug.cgi?id=1238322
+https://bugzilla.redhat.com/attachment.cgi?id=1055640
+
+The nss_parse_ciphers function in libraries/libldap/tls_m.c in
+OpenLDAP does not properly parse OpenSSL-style multi-keyword mode
+cipher strings, which might cause a weaker than intended cipher to
+be used and allow remote attackers to have unspecified impact via
+unknown vectors.
+
+Signed-off-by: Li Wang
+---
+ libraries/libldap/tls_m.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 9b101f9..e6f3051 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -621,18 +621,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ */
+ if (mask || strength || protocol) {
+ for (i=0; i