Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200606-17 ] OpenLDAP: Buffer overflow
Date: Thu, 15 Jun 2006 16:37:37
Message-Id: 200606151754.38312.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200606-17
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: OpenLDAP: Buffer overflow
9 Date: June 15, 2006
10 Bugs: #134010
11 ID: 200606-17
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 The OpenLDAP replication server slurpd contains a buffer overflow that
19 could result in arbitrary code execution.
20
21 Background
22 ==========
23
24 OpenLDAP is a suite of LDAP-related applications and development tools.
25 It includes slapd (the standalone LDAP server), slurpd (the standalone
26 LDAP replication server), various LDAP libraries, utilities and example
27 clients.
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 net-nsd/openldap < 2.3.22 >= 2.3.22
36
37 Description
38 ===========
39
40 slurpd contains a buffer overflow when reading very long hostnames from
41 the status file.
42
43 Impact
44 ======
45
46 By injecting an overly long hostname in the status file, an attacker
47 could possibly cause the execution of arbitrary code with the
48 permissions of the user running slurpd.
49
50 Workaround
51 ==========
52
53 There is no known workaround at this time.
54
55 Resolution
56 ==========
57
58 All openLDAP users should upgrade to the latest version:
59
60 # emerge --sync
61 # emerge --ask --oneshot --verbose ">=net-nds/openldap-2.3.22"
62
63 References
64 ==========
65
66 [ 1 ] CVE-2006-2754
67 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2754
68
69 Availability
70 ============
71
72 This GLSA and any updates to it are available for viewing at
73 the Gentoo Security Website:
74
75 http://security.gentoo.org/glsa/glsa-200606-17.xml
76
77 Concerns?
78 =========
79
80 Security is a primary focus of Gentoo Linux and ensuring the
81 confidentiality and security of our users machines is of utmost
82 importance to us. Any security concerns should be addressed to
83 security@g.o or alternatively, you may file a bug at
84 http://bugs.gentoo.org.
85
86 License
87 =======
88
89 Copyright 2006 Gentoo Foundation, Inc; referenced text
90 belongs to its owner(s).
91
92 The contents of this document are licensed under the
93 Creative Commons - Attribution / Share Alike license.
94
95 http://creativecommons.org/licenses/by-sa/2.5