CVE-2020-15719: 
NixOS vulnerability analysis and mitigation

CVE-2020-15719 affects the libldap component in certain third-party OpenLDAP packages, specifically when the package is asserting RFC6125 support. The vulnerability was discovered in July 2020 and affects various versions of OpenLDAP packages across different distributions (CVE Details).

The vulnerability involves a certificate-validation flaw where the system considers CN (Common Name) even when there is a non-matching subjectAltName (SAN). This behavior conflicts with certificate validation standards, particularly in the context of RFC6125 support. The issue was fixed in openldap-2.4.46-10.el8 in Red Hat Enterprise Linux (Debian Tracker).

The vulnerability could lead to incorrect certificate validation, potentially allowing connections to be established with servers using certificates that should be considered invalid. This could affect the security of TLS connections using affected OpenLDAP implementations (OpenLDAP Bug).

The issue has been fixed in openldap-2.4.46-10.el8 for Red Hat Enterprise Linux. Various distributions have released patches, including OpenSUSE through security updates 2020:1416 and 2020:1459. Organizations should update to the patched versions of OpenLDAP packages (SUSE Security).

There has been some debate in the security community about the validity of this vulnerability. OpenLDAP upstream disputed the issue, stating that the current libldap behavior conforms with RFC4513, and RFC6125 does not supersede the rules for verifying service identity provided in specifications for existing application protocols (OpenLDAP Bug).