Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 12 Mar 2012 13:36:00 -0600

On 03/12/2012 11:36 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,

  a denial of service flaw was found in the way the slapd server of the
the Lightweight Directory Access Protocol applications and development
processed certain search queries requesting only attributes (no values)
for a
particular entry. A remote attacker could issue a specially-crafted LDAP
query, which once processed by a vulnerable slapd server would lead to
assertion failure (slapd abort).

Upstream bug report:
[1] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7143

Original upstream patch:

Further patches:


[5] http://www.openldap.org/software/release/changes.html
[6] https://bugs.gentoo.org/show_bug.cgi?id=407941
[7] https://secunia.com/advisories/48372/
[8] https://bugzilla.redhat.com/show_bug.cgi?id=802514

Could you allocate a CVE identifier for this?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Please use CVE-2012-1164 for this issue.

Kurt Seifried Red Hat Security Response Team (SRT)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]