Univention Bugzilla – Bug 37728
openldap: Denial of service (3.2)
Last modified: 2015-09-23 13:15:16 CEST
If the slapo-deref overlay is used (which is not the case in a standard UCS installation) and if the list of attributes to be dereferenced is left empty, slapd can be crashed (CVE-2015-1545)
Fixed in upstream Debian package version 2.4.23-7.3+deb6u1
Another issue now fixed in 2.4.23-7.3+deb6u2: * Denial of service by unauthenticated remote attackers (reachable assertion and application crash) via crafted BER data (CVE-2015-6908)
The openldap package has been rebuilt in scope errata3.2-7 with the extracted Debian patch 96_ITS8240-remove-obsolete-assert.patch Advisory: 2015-09-11-openldap.yaml
OK - openldap patches CVE-2015-1545 and CVE-2015-6908 OK - YAML
<http://errata.software-univention.de/ucs/3.2/371.html>