CVE-2020-15719

NameCVE-2020-15719
Descriptionlibldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs965184

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openldap (PTS)jessie, jessie (lts)2.4.40+dfsg-1+deb8u11vulnerable
stretch (security), stretch (lts), stretch2.4.44+dfsg-5+deb9u9vulnerable
buster (security), buster, buster (lts)2.4.47+dfsg-3+deb10u7vulnerable
bullseye (security), bullseye2.4.57+dfsg-3+deb11u1vulnerable
bookworm2.5.13+dfsg-5vulnerable
sid, trixie2.5.18+dfsg-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openldapsource(unstable)(unfixed)unimportant965184

Notes

https://bugs.openldap.org/show_bug.cgi?id=9266
https://bugzilla.redhat.com/show_bug.cgi?id=1740070
RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch
OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap
behaviour does conform with RFC4513. RFC6125 does not superseed the rules for
verifying service identity provided in specifications for existing application
protocols published prior to RFC6125, like RFC4513 for LDAP.
[jessie] - openldap <no-dsa> (Minor issue, works as intended)

Search for package or bug name: Reporting problems