[gentoo-announce] [ GLSA 200803-28 ] OpenLDAP: Denial of Service vulnerabilities - gentoo-announce

From:	Pierre-Yves Rofes <py@g.o>
To:	gentoo-announce@l.g.o
Cc:	full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200803-28 ] OpenLDAP: Denial of Service vulnerabilities
Date:	Wed, 19 Mar 2008 22:03:04
Message-Id:	`47E19A02.6020506@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200803-28

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: OpenLDAP: Denial of Service vulnerabilities

12

      Date: March 19, 2008

13

      Bugs: #197446, #209677

14

        ID: 200803-28

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

Multiple Denial of Service vulnerabilities have been reported in

22

OpenLDAP.

23

24

Background

25

==========

26

27

OpenLDAP Software is an open source implementation of the Lightweight

28

Directory Access Protocol.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package           /  Vulnerable  /                     Unaffected

35

    -------------------------------------------------------------------

36

  1  net-nds/openldap      < 2.3.41                          >= 2.3.41

37

38

Description

39

===========

40

41

The following errors have been discovered in OpenLDAP:

42

43

* Tony Blake discovered an error which exists within the

44

  normalisation of "objectClasses" (CVE-2007-5707).

45

46

* Thomas Sesselmann reported that, when running as a proxy-caching

47

  server the "add_filter_attrs()" function in

48

  servers/slapd/overlay/pcache.c does not correctly NULL terminate

49

  "new_attrs" (CVE-2007-5708).

50

51

* A double-free bug exists in attrs_free() in the file

52

  servers/slapd/back-bdb/modrdn.c, which was discovered by Jonathan

53

  Clarke (CVE-2008-0658).

54

55

Impact

56

======

57

58

A remote attacker can cause a Denial of Serivce by sending a malformed

59

"objectClasses" attribute, and via unknown vectors that prevent the

60

"new_attrs" array from being NULL terminated, and via a modrdn

61

operation with a NOOP (LDAP_X_NO_OPERATION) control.

62

63

Workaround

64

==========

65

66

There is no known workaround at this time.

67

68

Resolution

69

==========

70

71

All OpenLDAP users should upgrade to the latest version:

72

73

    # emerge --sync

74

    # emerge --ask --oneshot --verbose ">=net-nds/openldap-2.3.41"

75

76

References

77

==========

78

79

  [ 1 ] CVE-2007-5707

80

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5707

81

  [ 2 ] CVE-2007-5708

82

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5708

83

  [ 3 ] CVE-2008-0658

84

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0658

85

86

Availability

87

============

88

89

This GLSA and any updates to it are available for viewing at

90

the Gentoo Security Website:

91

92

  http://security.gentoo.org/glsa/glsa-200803-28.xml

93

94

Concerns?

95

=========

96

97

Security is a primary focus of Gentoo Linux and ensuring the

98

confidentiality and security of our users machines is of utmost

99

importance to us. Any security concerns should be addressed to

100

security@g.o or alternatively, you may file a bug at

101

http://bugs.gentoo.org.

102

103

License

104

=======

105

106

Copyright 2008 Gentoo Foundation, Inc; referenced text

107

belongs to its owner(s).

108

109

The contents of this document are licensed under the

110

Creative Commons - Attribution / Share Alike license.

111

112

http://creativecommons.org/licenses/by-sa/2.5

113

-----BEGIN PGP SIGNATURE-----

114

Version: GnuPG v2.0.7 (GNU/Linux)

115

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

116

117

iD8DBQFH4ZoCuhJ+ozIKI5gRAuZYAKCXAX4sXc39JTd83l6VwVfnHdMsZACfQVfi

118

kTrjdz99Vifw47to09cOknQ=

119

=0mt1

120

-----END PGP SIGNATURE-----

121

--

122

gentoo-announce@l.g.o mailing list

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200803-28
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: OpenLDAP: Denial of Service vulnerabilities
12	Date: March 19, 2008
13	Bugs: #197446, #209677
14	ID: 200803-28
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	Multiple Denial of Service vulnerabilities have been reported in
22	OpenLDAP.
23
24	Background
25	==========
26
27	OpenLDAP Software is an open source implementation of the Lightweight
28	Directory Access Protocol.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 net-nds/openldap < 2.3.41 >= 2.3.41
37
38	Description
39	===========
40
41	The following errors have been discovered in OpenLDAP:
42
43	* Tony Blake discovered an error which exists within the
44	normalisation of "objectClasses" (CVE-2007-5707).
45
46	* Thomas Sesselmann reported that, when running as a proxy-caching
47	server the "add_filter_attrs()" function in
48	servers/slapd/overlay/pcache.c does not correctly NULL terminate
49	"new_attrs" (CVE-2007-5708).
50
51	* A double-free bug exists in attrs_free() in the file
52	servers/slapd/back-bdb/modrdn.c, which was discovered by Jonathan
53	Clarke (CVE-2008-0658).
54
55	Impact
56	======
57
58	A remote attacker can cause a Denial of Serivce by sending a malformed
59	"objectClasses" attribute, and via unknown vectors that prevent the
60	"new_attrs" array from being NULL terminated, and via a modrdn
61	operation with a NOOP (LDAP_X_NO_OPERATION) control.
62
63	Workaround
64	==========
65
66	There is no known workaround at this time.
67
68	Resolution
69	==========
70
71	All OpenLDAP users should upgrade to the latest version:
72
73	# emerge --sync
74	# emerge --ask --oneshot --verbose ">=net-nds/openldap-2.3.41"
75
76	References
77	==========
78
79	[ 1 ] CVE-2007-5707
80	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5707
81	[ 2 ] CVE-2007-5708
82	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5708
83	[ 3 ] CVE-2008-0658
84	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0658
85
86	Availability
87	============
88
89	This GLSA and any updates to it are available for viewing at
90	the Gentoo Security Website:
91
92	http://security.gentoo.org/glsa/glsa-200803-28.xml
93
94	Concerns?
95	=========
96
97	Security is a primary focus of Gentoo Linux and ensuring the
98	confidentiality and security of our users machines is of utmost
99	importance to us. Any security concerns should be addressed to
100	security@g.o or alternatively, you may file a bug at
101	http://bugs.gentoo.org.
102
103	License
104	=======
105
106	Copyright 2008 Gentoo Foundation, Inc; referenced text
107	belongs to its owner(s).
108
109	The contents of this document are licensed under the
110	Creative Commons - Attribution / Share Alike license.
111
112	http://creativecommons.org/licenses/by-sa/2.5
113	-----BEGIN PGP SIGNATURE-----
114	Version: GnuPG v2.0.7 (GNU/Linux)
115	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
116
117	iD8DBQFH4ZoCuhJ+ozIKI5gRAuZYAKCXAX4sXc39JTd83l6VwVfnHdMsZACfQVfi
118	kTrjdz99Vifw47to09cOknQ=
119	=0mt1
120	-----END PGP SIGNATURE-----
121	--
122	gentoo-announce@l.g.o mailing list

Gentoo Archives: gentoo-announce