On Fri, Jul 17, 2020 at 09:07:57AM -0700, Ryan Tandy wrote: > Control: tag -1 moreinfo > > Hi Moritz, thanks for the report.
Sorry for the late reply, had a bunch of other issues pending. > On Fri, Jul 17, 2020 at 12:41:35PM +0200, Moritz Muehlenhoff wrote: > > CVE-2020-15719 was assigned to an issue in OpenLDAP found by Red Hat: > > https://bugzilla.redhat.com/show_bug.cgi?id=1740070 > > > > The underlying OpenLDAP bug is restricted, though: > > https://bugs.openldap.org/show_bug.cgi?id=9266 > > The OpenLDAP ticket has now been made public. Thanks. > There might be an argument to be made that the Common Name matching is > described as something the implementation "may also" do, so we could tweak > how it works without actually violating RFC 4513. However it's enough of a > grey area (and a subtle enough difference) that I think I'd prefer to just > follow upstream, especially if some existing setups might be depending on > that behaviour (CN not duplicated in a SAN). > > What do you think? We should definitely follow upstream, I think Howards's reasoning makes a lot of sense. I'll mark it as a non-issue in the Debian Security Tracker. Cheers, Moritz

