GLSA Bodhisattva
Joined: 13 Jun 2003 Posts: 4087 Location: Dresden, Germany
|
Posted: Wed Mar 31, 2004 11:06 am Post subject: [ GLSA 200403-12 ] OpenLDAP DoS Vulnerability |
|
|
Gentoo Linux Security Advisory
Title: OpenLDAP DoS Vulnerability (GLSA 200403-12)
Severity: normal
Exploitable: remote
Date: March 31, 2004
Updated: May 22, 2006
Bug(s): #26728
ID: 200403-12
Synopsis
A failed password operation can cause the OpenLDAP slapd server, if it is using the back-ldbm backend, to free memory that was never allocated.
Background
OpenLDAP is a suite of LDAP-related application and development tools. It includes slapd (the standalone LDAP server), slurpd (the standalone LDAP replication server), and various LDAP libraries, utilities and example clients.
Affected Packages
Package: net-nds/openldap
Vulnerable: <= 2.1.12
Unaffected: >= 2.1.13
Architectures: All supported architectures
Description
A password extended operation (password EXOP) which fails will cause the slapd server to free() an uninitialized pointer, possibly resulting in a segfault. This only affects servers using the back-ldbm backend. Such a crash is not guaranteed with every failed operation, however, it is possible.
Impact
An attacker (or indeed, a normal user) may crash the OpenLDAP server, creating a Denial of Service condition.
Workaround
A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package.
Resolution
OpenLDAP users should upgrade to version 2.1.13 or later: Code: | # emerge sync
# emerge -pv ">=net-nds/openldap-2.1.13"
# emerge ">=net-nds/openldap-2.1.13" |
References
OpenLDAP ITS Bug and Patch
CVE-2003-1201
Last edited by GLSA on Tue May 23, 2006 4:16 am; edited 2 times in total |
|