Univention Bugzilla – Bug 52747
openldap: Multiple issues (4.4)
Last modified: 2022-04-06 13:19:15 CEST
https://www.debian.org/security/2021/dsa-4845 https://security-tracker.debian.org/tracker/source-package/openldap In UCS 4.4-7 we currently have a patched version originally from stretch-backports: http://xen1.knut.univention.de:8000/packages/source/openldap/ I guess it would be a good idea to update to a more recent https://packages.debian.org/search?suite=stretch-backports&searchon=sourcenames&keywords=openldap -- The package version would still stay below the one in UCS 5.0-0
* Denial of Service due to integer underflow leading to slapd crashes in the Certificate Exact Assertion processing (CVE-2020-36221) * Denial of Service due to an assertion failure in slapd in the saslAuthzTo validation (CVE-2020-36222) * Denial of Service due to slapd crash in the Values Return Filter control handling (CVE-2020-36223) * Denial of Service due to invalid pointer free and slapd crash in the saslAuthzTo processing (CVE-2020-36224) * Denial of Service due to double free and slapd crash in the saslAuthzTo processing (CVE-2020-36225) * Denial of Service due to a memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing (CVE-2020-36226) * Denial of Service due to an infinite loop in slapd with the cancel_extop Cancel operation (CVE-2020-36227) * Denial of Service due to an integer underflow leading to a slapd crash in the Certificate List Exact Assertion processing (CVE-2020-36228) * Denial of Service due to flaw in ldap_X509dn2bv leading to a slapd crash in the X.509 DN parsing in ad_keystring (CVE-2020-36229) * Denial of Service due to assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element (CVE-2020-36230)
CVE-2020-36221 - openldap ITS 9404 CVE-2020-36222 - openldap ITS 9406 CVE-2020-36223 - openldap ITS 9408 CVE-2020-36224 - openldap ITS 9409 CVE-2020-36225 - openldap ITS 9412 CVE-2020-36226 - openldap ITS 9413 CVE-2020-36227 - openldap ITS 9428 CVE-2020-36228 - openldap ITS 9427 CVE-2020-36229 - openldap ITS 9425 CVE-2020-36230 - openldap ITS 9423
> I guess it would be a good idea to update to a more recent https://packages.debian.org/search?suite=stretch-backports&searchon=sourcenames&keywords=openldap -- The package version would still stay below the one in UCS 5.0-0 I'm a coward, seems that stretch-backports version no longer gets sec updates, so i go with our current packages plus the stretch [security] patches. UCS 4.4: Added the following patches from https://packages.debian.org/source/stretch/openldap openldap (2.4.44+dfsg-5+deb9u7) [security] to our 4.4-0-0-ucs/2.4.45+dfsg-1~bpo9+1-errata4.4-7 CVE-2020-36221 - openldap ITS 9404 - ITS-9404-fix-serialNumberAndIssuerCheck.patch CVE-2020-36222 - openldap ITS 9406 - ITS-9406-9407-remove-saslauthz-asserts.patch, ITS-9406-fix-debug-msg.patch CVE-2020-36223 - openldap ITS 9408 - ITS-9408-fix-vrfilter-double-free.patch CVE-2020-36224 - openldap ITS 9409 - ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch, ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch CVE-2020-36225 - openldap ITS 9412 - ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch CVE-2020-36226 - openldap ITS 9413 - ITS-9413-fix-slap_parse_user.patch CVE-2020-36230 - openldap ITS 9423 - ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch CVE-2020-36229 - openldap ITS 9425 - ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch CVE-2020-36228 - openldap ITS 9427 - ITS-9427-fix-issuerAndThisUpdateCheck.patch CVE-2020-36227 - openldap ITS 9428 - ITS-9428-fix-cancel-exop.patch plus these two additional patches ITS-9411-fix-thisUpdate-check.patch ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch UCS 5.0: Already fixed in 2.4.47+dfsg-3+deb10u5 (buster (security)
> seems that stretch-backports version no longer gets sec updates, FYI: stretch-backports *never* gets sec updates. That's why it's vitally important to inform our sec monitoring in cases, where packages are imported from some unmaintained package source like *-backports.
At least one additional issue: https://security-tracker.debian.org/tracker/CVE-2021-27212
Added the following patch CVE-2021-27212 - ITS-9454-fix-issuerAndThisUpdateCheck.patch
OK: Patches svn r19287 99_ITS-9404-fix-serialNumberAndIssuerCheck.quilt 99_ITS-9406-9407-remove-saslauthz-asserts.quilt 99_ITS-9406-fix-debug-msg.quilt 99_ITS-9408-fix-vrfilter-double-free.quilt 99_ITS-9409-saslauthz-use-ch_free-on-normalized-DN.quilt 99_ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.quilt 99_ITS-9411-fix-thisUpdate-check.quilt 99_ITS-9412-fix-AVA_Sort-on-invalid-RDN.quilt 99_ITS-9413-fix-slap_parse_user.quilt 99_ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.quilt 99_ITS-9424-fix-serialNumberAndIssuerSerialCheck.quilt 99_ITS-9425-add-more-checks-to-ldap_X509dn2bv.quilt 99_ITS-9427-fix-issuerAndThisUpdateCheck.quilt 99_ITS-9428-fix-cancel-exop.quilt OK: Patch svn r19293 99_ITS-9454-fix-issuerAndThisUpdateCheck.quilt OK: Patches applied in openldap 2.4.45+dfsg-1~bpo9+1A~4.4.0.202102221450 OK: yaml Verified
<https://errata.software-univention.de/#/?erratum=4.4x908>
*** Bug 53447 has been marked as a duplicate of this bug. ***