OpenLDAP May Ignore TLSCipherSuite Setting in Some Cases
|
|
SecurityTracker Alert ID: 1027127 |
|
SecurityTracker URL: http://securitytracker.com/id/1027127
|
|
CVE Reference:
CVE-2012-2668
(Links to External Site)
|
Date: Jun 6 2012
|
Impact:
Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in OpenLDAP. The system may use a weaker cipher suite than specified.
When the Mozilla NSS backend is used, the OpenLDAP software ignores the TLSCipherSuite setting and instead uses the default cipher suite, which may contain some weak ciphers.
The vulnerability resides in 'libraries/libldap/tls_m.c'.
Tim Strobell reported this vulnerability.
|
Impact:
The system may use weaker ciphers than specified in the configuration file.
|
Solution:
The vendor has issued a source code fix, available at:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=2c2bb2e
The vendor's advisory is available at:
http://www.openldap.org/its/index.cgi?findid=7285
|
Vendor URL: openldap.org/ (Links to External Site)
|
Cause:
State error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
