Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[SECURITY] [DSA 1541-1] New openldap2.3 packages fix denial of service
From: Moritz Muehlenhoff <jmm () debian org>
Date: Tue, 8 Apr 2008 23:50:58 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1541-1                  security () debian org
http://www.debian.org/security/                       Moritz Muehlenhoff
April 08, 2008                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : openldap2.3
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2007-5707 CVE-2007-5708 CVE-2007-6698 CVE-2008-0658
Debian Bug     : 440632 448644 465875

Several remote vulnerabilities have been discovered in OpenLDAP, a
free implementation of the Lightweight Directory Access Protocol. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2007-5707

    Thomas Sesselmann discovered that slapd could be crashed by a
    malformed modify requests.
  
CVE-2007-5708

    Toby Blade discovered that incorrect memory handling in slapo-pcache
    could lead to denial of service through crafted search requests.

CVE-2007-6698

    It was discovered that a programming error in the interface to the
    BDB storage backend could lead to denial of service through
    crafted modify requests.

CVE-2008-0658

    It was discovered that a programming error in the interface to the
    BDB storage backend could lead to denial of service through
    crafted modrdn requests.

For the stable distribution (etch), these problems have been fixed in
version 2.3.30-5+etch1.

For the unstable distribution (sid), these problems have been fixed in
version 2.4.7-6.1.

We recommend that you upgrade your openldap2.3 packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 4.0 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30-5+etch1.diff.gz
    Size/MD5 checksum:   311352 ab5ecd0da4ad32f39ca8ca34e97aea8e
  http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz
    Size/MD5 checksum:  2971126 c40bcc23fa65908b8d7a86a4a6061251
  http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30-5+etch1.dsc
    Size/MD5 checksum:     1205 64cd8bb9897af0062fd15e9b0fb8e32e

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_alpha.deb
    Size/MD5 checksum:   193978 6e4e9f9c7f0936cb8d023bf2402af42e
  http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_alpha.deb
    Size/MD5 checksum:   293070 35576398d8f2d5618bace89bbec87870
  http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_alpha.deb
    Size/MD5 checksum:  1283688 a2eaf28c1c1285753e71122c5561e39f

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_amd64.deb
    Size/MD5 checksum:   184540 6bc131c285864c654d28e90fd06000ee
  http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_amd64.deb
    Size/MD5 checksum:   285256 995b228196a6ce2ccf5bcfa6521244c5
  http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_amd64.deb
    Size/MD5 checksum:  1244474 3b455c3a4f221bfb82dd6f70dd5f851a

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_arm.deb
    Size/MD5 checksum:  1188898 956eeea9cc2bd6e5e4e50145d05dd39e
  http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_arm.deb
    Size/MD5 checksum:   141956 d9b143c4304ca81db461be2bdf30221c
  http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_arm.deb
    Size/MD5 checksum:   254604 6b2744212645932232f285547c3465a0

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_hppa.deb
    Size/MD5 checksum:  1306308 287335a1821aefc8efb102d6982aff98
  http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_hppa.deb
    Size/MD5 checksum:   292048 4a4f3ef5fbbe1e8793bf1cd797e7b028
  http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_hppa.deb
    Size/MD5 checksum:   180756 691a106d02d195b991b235515d0d174c

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_i386.deb
    Size/MD5 checksum:   265946 e88fc90218b13aebb2a1578901a69824
  http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_i386.deb
    Size/MD5 checksum:  1174252 903a34a92df100585dba3e0ec0f25987
  http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_i386.deb
    Size/MD5 checksum:   154126 80588200bcbc4f6b8e3c60983eae4780

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_ia64.deb
    Size/MD5 checksum:   379540 9487d1a5a9a03c4654b7a361d4c67753
  http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_ia64.deb
    Size/MD5 checksum:  1660796 6df92fd96886f3316f26f89f2da0eb96
  http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_ia64.deb
    Size/MD5 checksum:   239118 9ae940f8df656d2f233acefd0b2274bf

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_mips.deb
    Size/MD5 checksum:   185506 8a1ab4fc883116059b529ffa00a8c346
  http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_mips.deb
    Size/MD5 checksum:  1205680 431589f3aad740adde1dc121edfc2f0b
  http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_mips.deb
    Size/MD5 checksum:   257964 10ae6c9739e5ec1cce436e82572d3086

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_mipsel.deb
    Size/MD5 checksum:  1188188 eb29253ae4008e5e74135b9b03fda111
  http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_mipsel.deb
    Size/MD5 checksum:   258576 83b99052b2853cd94b665ae621d3b66f
  http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_mipsel.deb
    Size/MD5 checksum:   186780 316031a466a6e221789ee246c2fe96c6

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_powerpc.deb
    Size/MD5 checksum:   272220 f8cb7024f7e5e00b94ff8d638cddb18d
  http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_powerpc.deb
    Size/MD5 checksum:   188744 7bd626905a9443950a1cab4df28a4a59
  http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_powerpc.deb
    Size/MD5 checksum:  1243640 6faf3ce99497a3e8d793eea3c0d0aca2

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_s390.deb
    Size/MD5 checksum:  1240862 ccf0e13f6dc5756dc84d524cb9a033dd
  http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_s390.deb
    Size/MD5 checksum:   291452 33deedd35ad575833f7227047b644fae
  http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_s390.deb
    Size/MD5 checksum:   168348 4fa52da0e0d54466a804c40306ae9f83

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_sparc.deb
    Size/MD5 checksum:  1167532 392f3e996130e2fa64c0005218d776e0
  http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_sparc.deb
    Size/MD5 checksum:   256800 32585d0c8d9996050f74caf021af6f73
  http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_sparc.deb
    Size/MD5 checksum:   154976 a083feee801f6c843b6509df9b6307b3


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce () lists debian org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH++iGXm3vHE4uyloRAsmmAJ4+qGN0+KYGQf+LkJURZvf2xNHc6wCgusMV
9+QeCZXT1tC9AYUHa0ESfNk=
=7PGS
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA 1541-1] New openldap2.3 packages fix denial of service Moritz Muehlenhoff (Apr 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault