First Last Prev Next    This bug is not in your last search results.
Bug 37728 - openldap: Denial of service (3.2)
openldap: Denial of service (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P2 normal (vote)
: UCS 3.2-7-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-09 08:45 CET by Moritz Muehlenhoff
Modified: 2015-09-23 13:15 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2015-02-09 08:45:20 CET 
If the slapo-deref overlay is used (which is not the case in a standard UCS installation) and if the list of attributes to be dereferenced is left empty, slapd can be crashed (CVE-2015-1545)
Comment 1 Arvid Requate univentionstaff 2015-05-07 17:13:18 CEST 
Fixed in upstream Debian package version 2.4.23-7.3+deb6u1
Comment 2 Arvid Requate univentionstaff 2015-09-14 16:45:34 CEST 
Another issue now fixed in 2.4.23-7.3+deb6u2:

* Denial of service by unauthenticated remote attackers (reachable assertion and application crash) via crafted BER data (CVE-2015-6908)
Comment 3 Arvid Requate univentionstaff 2015-09-14 19:00:52 CEST 
The openldap package has been rebuilt in scope errata3.2-7 with the extracted Debian patch 96_ITS8240-remove-obsolete-assert.patch

Advisory: 2015-09-11-openldap.yaml
Comment 4 Felix Botner univentionstaff 2015-09-16 13:05:47 CEST 
OK - openldap patches CVE-2015-1545 and CVE-2015-6908
OK - YAML
Comment 5 Janek Walkenhorst univentionstaff 2015-09-23 13:15:16 CEST 
<http://errata.software-univention.de/ucs/3.2/371.html>
First Last Prev Next    This bug is not in your last search results.