First Last Prev Next    This bug is not in your last search results.
Bug 54627 - Denial of service: slapd (5.0)
Denial of service: slapd (5.0)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-1-errata
Assigned To: Arvid Requate
Julia Bremer
:
Depends on:
Blocks: 54628
  Show dependency treegraph
 
Reported: 2022-03-31 14:00 CEST by Arvid Requate
Modified: 2022-04-20 19:14 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2022-03-31 14:00:30 CEST 
We need to backport the patch for this DoS issue. It doesn't have a CVE.

https://bugs.openldap.org/show_bug.cgi?id=9124
Comment 1 Michael Ströder 2022-03-31 14:24:28 CEST 
Another DoS attack vector based on malformed Cancel ext.op. which you should also fix in one go:

https://bugs.openldap.org/show_bug.cgi?id=9428

In general OpenLDAP security fixes rarely have CVE-IDs assigned. :-(
Comment 2 Arvid Requate univentionstaff 2022-03-31 15:37:34 CEST 
The second one is already in upstream Debian package version 2.4.47+dfsg-3+deb10u6,
which we automatically track and update:

debian/patches/ITS-9428-fix-cancel-exop.patch
Comment 3 Arvid Requate univentionstaff 2022-03-31 16:47:30 CEST 
r19560 | 99_ITS-9124-Null-pointer-dereference-in-ber_skip_tag.quilt
431db1ac12 | Advisory

Package: openldap
Version: 2.4.47+dfsg-3+deb10u6A~5.0.0.202203311540
Branch: ucs_5.0-0
Scope: errata5.0-1
Comment 4 Julia Bremer univentionstaff 2022-04-19 11:16:35 CEST 
Tests: OK
Patch applied: OK
Package built: OK
Installation: OK

Verified
First Last Prev Next    This bug is not in your last search results.