Control: tags -1 confirmed moreinfo Hi,
On Sun, May 28, 2017 at 11:24:00AM -0700, Ryan Tandy wrote: > I would like to upload a late-breaking security fix to openldap: > > * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free > in the MDB backend on a search including the Paged Results control with a > page size of 0. (ITS#8655) (Closes: #863563) > > A Debian user reported this crash bug in slapd. The default Debian > configuration uses the MDB backend and allows unauthenticated users to > search the directory; therefore for us this qualifies as a remote DoS. > > With your permission, I'd like to include one additional fix: > > * ITS-8644-wait-for-slapd-to-start-in-test064.patch: Fix an intermittently > failing test by waiting for slapd to start before running tests. > (ITS#8644) (Closes: #770890) > > This issue caused some havoc in the last upload; you may remember that > we ended up re-bootstrapping on ppc64el and binNMUing everywhere. The > root cause was actually the tight dependency between libldap-2.4-2 and > libldap-common, but I think revisiting that should wait for buster. For > now, including this patch will improve the reliability of maintenance > uploads during stretch's lifetime. > > Both patches have already been reviewed upstream and will be included in > the upcoming 2.4.45 release. > > Thanks again for all your work on making stretch great, Please go ahead with the upload and remove the moreinfo tag from this bug once the builds on all (relevant) architectures are in unstable. Cheers, Ivo
