Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[ MDVSA-2011:055 ] openldap
From: security () mandriva com
Date: Wed, 30 Mar 2011 15:11:00 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:055
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : openldap
 Date    : March 30, 2011
 Affected: 2009.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been identified and fixed in openldap:
 
 chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24,
 when a master-slave configuration with a chain overlay and
 ppolicy_forward_updates (aka authentication-failure forwarding) is
 used, allows remote authenticated users to bypass external-program
 authentication by sending an invalid password to a slave server
 (CVE-2011-1024).
 
 modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote
 attackers to cause a denial of service (daemon crash) via a relative
 Distinguished Name (DN) modification request (aka MODRDN operation)
 that contains an empty value for the OldDN field (CVE-2011-1081).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1024
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1081
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 83ccec2a20904df9a0ca143da248d5d9  2009.0/i586/libldap2.4_2-2.4.11-3.4mdv2009.0.i586.rpm
 71b97d10738a74644373e91269eaeed6  2009.0/i586/libldap2.4_2-devel-2.4.11-3.4mdv2009.0.i586.rpm
 9d8ed8fde6288f8883bb1d13344e047a  2009.0/i586/libldap2.4_2-static-devel-2.4.11-3.4mdv2009.0.i586.rpm
 fb3d985950e150a02e8c230a311051c3  2009.0/i586/openldap-2.4.11-3.4mdv2009.0.i586.rpm
 ba4a65282d12a598e1e951080a18565f  2009.0/i586/openldap-clients-2.4.11-3.4mdv2009.0.i586.rpm
 ed18a20fa96960cfc10034c732b56b2c  2009.0/i586/openldap-doc-2.4.11-3.4mdv2009.0.i586.rpm
 e68073473f08adf052cc166ea2f2c8e5  2009.0/i586/openldap-servers-2.4.11-3.4mdv2009.0.i586.rpm
 ff1dcd171670dbb0e84845761baec2d4  2009.0/i586/openldap-testprogs-2.4.11-3.4mdv2009.0.i586.rpm
 7f9e1581e730cc69109db37dd63453ba  2009.0/i586/openldap-tests-2.4.11-3.4mdv2009.0.i586.rpm 
 1b9fa8641f7f41d4dd859e73170d0b34  2009.0/SRPMS/openldap-2.4.11-3.4mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 ecf971b49682fb6637c335f2790413db  2009.0/x86_64/lib64ldap2.4_2-2.4.11-3.4mdv2009.0.x86_64.rpm
 df29b7188a9b48141288950b00f2d7c9  2009.0/x86_64/lib64ldap2.4_2-devel-2.4.11-3.4mdv2009.0.x86_64.rpm
 fbdfbe6bb56cbe74c4c35a711450ae04  2009.0/x86_64/lib64ldap2.4_2-static-devel-2.4.11-3.4mdv2009.0.x86_64.rpm
 6336cf856ad3fd9cb71e69f89ae621a5  2009.0/x86_64/openldap-2.4.11-3.4mdv2009.0.x86_64.rpm
 08cbb77b99ee361f06650fd04ab954c4  2009.0/x86_64/openldap-clients-2.4.11-3.4mdv2009.0.x86_64.rpm
 9f1bcc61420e107387d20afcbfbda8ca  2009.0/x86_64/openldap-doc-2.4.11-3.4mdv2009.0.x86_64.rpm
 a23b50b362db34c35d7e206147e40d1d  2009.0/x86_64/openldap-servers-2.4.11-3.4mdv2009.0.x86_64.rpm
 0726dd1f6b44f0c215a3c27644e426db  2009.0/x86_64/openldap-testprogs-2.4.11-3.4mdv2009.0.x86_64.rpm
 e66476117347d5c19ac64b6bf3a00484  2009.0/x86_64/openldap-tests-2.4.11-3.4mdv2009.0.x86_64.rpm 
 1b9fa8641f7f41d4dd859e73170d0b34  2009.0/SRPMS/openldap-2.4.11-3.4mdv2009.0.src.rpm

 Mandriva Enterprise Server 5:
 21948fd7dce8ce2c4c8fef768cfebda2  mes5/i586/libldap2.4_2-2.4.11-3.4mdvmes5.2.i586.rpm
 7857e09b074a340d74373b90900d7669  mes5/i586/libldap2.4_2-devel-2.4.11-3.4mdvmes5.2.i586.rpm
 9d2e59be28483bcf3acb4ff25089a390  mes5/i586/libldap2.4_2-static-devel-2.4.11-3.4mdvmes5.2.i586.rpm
 2c3d52c077a56fa832d2d4209ad46834  mes5/i586/openldap-2.4.11-3.4mdvmes5.2.i586.rpm
 acc2717ad2b29a7b02ba7f943ef92416  mes5/i586/openldap-clients-2.4.11-3.4mdvmes5.2.i586.rpm
 d3deba0317c9f52ec463928a190dec51  mes5/i586/openldap-doc-2.4.11-3.4mdvmes5.2.i586.rpm
 f4da14b20cccf8a3059bf512ba839fb4  mes5/i586/openldap-servers-2.4.11-3.4mdvmes5.2.i586.rpm
 3c34b1a9af109ee763cb26ee7615e60c  mes5/i586/openldap-testprogs-2.4.11-3.4mdvmes5.2.i586.rpm
 a52cf23420f23ed3d3ac84abe446ae92  mes5/i586/openldap-tests-2.4.11-3.4mdvmes5.2.i586.rpm 
 b9bced393f520051e28a489c6d8ff9ab  mes5/SRPMS/openldap-2.4.11-3.4mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 aa04b9b7aa03aab2ec36bf7027339ea6  mes5/x86_64/lib64ldap2.4_2-2.4.11-3.4mdvmes5.2.x86_64.rpm
 7ef3c991e2bc597b527af6b1f4fbbe45  mes5/x86_64/lib64ldap2.4_2-devel-2.4.11-3.4mdvmes5.2.x86_64.rpm
 978ea5eed1b8957f352503e1d1036f37  mes5/x86_64/lib64ldap2.4_2-static-devel-2.4.11-3.4mdvmes5.2.x86_64.rpm
 2805cdd7f4b21269cbb7867492022743  mes5/x86_64/openldap-2.4.11-3.4mdvmes5.2.x86_64.rpm
 fd58b85bd63050c9e92947cda1e9c7ca  mes5/x86_64/openldap-clients-2.4.11-3.4mdvmes5.2.x86_64.rpm
 f4f917d985b61cf253ef64d5b488ae55  mes5/x86_64/openldap-doc-2.4.11-3.4mdvmes5.2.x86_64.rpm
 6717e80f594124b5a453f34945cf626b  mes5/x86_64/openldap-servers-2.4.11-3.4mdvmes5.2.x86_64.rpm
 a4533095a840c1dcb204f980555f885a  mes5/x86_64/openldap-testprogs-2.4.11-3.4mdvmes5.2.x86_64.rpm
 abb0169c24cee8546bfa9e59d3e602e7  mes5/x86_64/openldap-tests-2.4.11-3.4mdvmes5.2.x86_64.rpm 
 b9bced393f520051e28a489c6d8ff9ab  mes5/SRPMS/openldap-2.4.11-3.4mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNkv3xmqjQ0CJFipgRAqQSAKCc3vPvJODiYO5xcI5stKqfUAsbAQCeJSyY
d2dZNLuNg8Fe8uz62O13Pfk=
=/zxu
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [ MDVSA-2011:055 ] openldap security (Mar 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault