← Back to branch summary

~ubuntu-branches/ubuntu/hardy/openldap2.3/hardy-security

« back to all changes in this revision

Viewing changes to debian/patches/gnutls-enable-v1-ca-certs

  • Committer: Bazaar Package Importer
  • Author(s): Steve Beattie
  • Date: 2010-07-29 13:40:10 UTC
  • mfrom: (16.1.5 hardy-proposed)
  • Revision ID: james.westby@ubuntu.com-20100729134010-hf8g3b3l2f7gvm85
Tags: 2.4.9-0ubuntu0.8.04.4
* SECURITY UPDATE: null ptr deref, free uninitialized data in modrdn calls
  - openldap-2.4.22-CVE-2010-0211-modrdn_check_error.patch:
    - check return for errors and clean up uninitialized data
  - openldap-2.4.22-CVE-2010-0212-modrdn_null_deref.patch:
    - return error on 0-length or binary RDNs
  - CVE-2010-0211, CVE-2010-0212

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/gnutls-enable-v1-ca-certs
 
1
## Mathias Gug <mathiaz@ubuntu.com>
 
2
## Enable V1 CA certs to be trusted.
 
3
## ITS: 5992 - http://www.openldap.org/its/index.cgi?findid=5992
 
4
## LP: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264
 
5
## Fixed in > 2.4.15
 
6
## Backport from patch: http://bazaar.launchpad.net/%7Evcs-imports/openldap/main-src/diff/17238
 
7
 
 
8
--- openldap.orig/libraries/libldap/tls.c.orig  2009-03-25 13:05:17.000000000 -0400
 
9
+++ openldap/libraries/libldap/tls.c    2009-03-25 13:09:01.000000000 -0400
 
10
@@ -757,6 +757,14 @@
 
11
                if ( rc < 0 ) goto error_exit;
 
12
                rc = 0;
 
13
        }
 
14
+
 
15
+       /* FIXME: ITS#5992 - this should go be configurable,
 
16
+        * and V1 CA certs should be phased out ASAP.
 
17
+        */
 
18
+       gnutls_certificate_set_verify_flags(((tls_ctx*) lo->ldo_tls_ctx)->cred,
 
19
+               GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
 
20
+
 
21
+
 
22
        if ( is_server ) {
 
23
                gnutls_dh_params_init (&((tls_ctx*) 
 
24
                                        lo->ldo_tls_ctx)->dh_params);