[opensuse-factory] OpenSLP and package openldap2
HI! Given recent OpenSLP security issue I wonder whether package openldap2 should still be linked with OpenSLP. IMO the OpenSLP projects seems pretty dead and I suspect there might be more issues in that lib. I've sent an inquiry about this to openldap-technical mailing list a couple of days ago: --------------------------- snip --------------------------- Is anybody here using OpenSLP with OpenLDAP libs to locate LDAP directory servers? I never used it and I only vaguely remember that Novell eDirectory instances was announced via SLP. But I don't know of any clients supporting that and therefore I wonder whether Linux distros should package OpenLDAP with SLP support. --------------------------- snip --------------------------- The only response was from the Debian maintainer. They dropped SLP support in 2015: https://www.openldap.org/lists/openldap-technical/201807/msg00027.html Ciao, Michael.
On Sat, Jul 14, Michael Ströder wrote:
Given recent OpenSLP security issue I wonder whether package openldap2 should still be linked with OpenSLP. IMO the OpenSLP projects seems pretty dead and I suspect there might be more issues in that lib.
OpenSLP can be very helpfull, if the admin does active maintain the setup. I know some of this setups. But most admins don't do so, and so it can become a real risk. And here I know even much more setups. I think enabling applications to allow the usage of openslp is ok, but they should not use it by default if the admin does not give his Ok. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, Jul 14, 2018 at 11:39:06AM +0200, Michael Ströder wrote:
Given recent OpenSLP security issue I wonder whether package openldap2 should still be linked with OpenSLP. IMO the OpenSLP projects seems pretty dead and I suspect there might be more issues in that lib.
No, it's not dead yet. Upstream plans to do the next release in a couple of weeks. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Michael Schroeder -
Michael Ströder -
Thorsten Kukuk