GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Fri Aug 08, 2008 7:26 pm Post subject: [ GLSA 200808-09 ] OpenLDAP: Denial of Service vulnerability |
|
|
Gentoo Linux Security Advisory
Title: OpenLDAP: Denial of Service vulnerability (GLSA 200808-09)
Severity: low
Exploitable: remote
Date: August 08, 2008
Bug(s): #230269
ID: 200808-09
Synopsis
A flaw in OpenLDAP allows remote unauthenticated attackers to cause a Denial of Service.
Background
OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol.
Affected Packages
Package: net-nds/openldap
Vulnerable: < 2.3.43
Unaffected: >= 2.3.43
Architectures: All supported architectures
Description
Cameron Hotchkies discovered an error within the parsing of ASN.1 BER encoded packets in the "ber_get_next()" function in libraries/liblber/io.c.
Impact
A remote unauthenticated attacker can send a specially crafted ASN.1 BER encoded packet which will trigger the error and cause an "assert()", terminating the "slapd" daemon.
Workaround
There is no known workaround at this time.
Resolution
All OpenLDAP users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-nds/openldap-2.3.43" |
References
CVE-2008-2952 |
|