CVE-2020-15719

libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.

• openldap (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965184) https://bugs.openldap.org/show_bug.cgi?id=9266 https://bugzilla.redhat.com/show_bug.cgi?id=1740070 RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch OpenLDAP upstream did dispute the issue as beeing valid, as the current libldap behaviour does conform with RFC4513. RFC6125 does not superseed the rules for verifying service identity provided in specifications for existing application protocols published prior to RFC6125, like RFC4513 for LDAP.