From ${URL} : It was discovered that an anonymous (or bound) LDAP request to the 389 Directory Server could trigger a crash of the server when handling LDAP V3 control data. If a malicious unauthenticated user were to send an LDAP request containing crafted LDAPv3 control data, they could cause the server to crash, denying service to the directory.
I am bumping it+*389-ds-base-1.3.0.2 (14 Mar 2013) + + 14 Mar 2013; Fabio Erculiani <lxnay@gentoo.org> +389-ds-base-1.3.0.2.ebuild, + -389-ds-base-1.2.11.15.ebuild: + version bump, fixes bug #461522 + +*389-dsgw-1.1.10 (14 Mar 2013) + + 14 Mar 2013; Fabio Erculiani <lxnay@gentoo.org> +389-dsgw-1.1.10.ebuild, + -389-dsgw-1.1.7.ebuild: + version bump, fixes #461522 +
Thanks, Fabio. Closing noglsa for ~arch only.
reopening: http://web.nvd.nist.gov/view/vuln/detail;jsessionid=8C25BABFBC85771DF1D2687853BF2462?vulnId=CVE-2013-0312 389 Directory Server before 1.3.0.4 allows remote attackers to cause a denial of service (crash) via a zero length LDAP control sequence. @lxnay, I guess you need to bump the 1.3.0.4
1.3.0.4 is testing (see $HOMEPAGE). Then the patch must be backported.
CVE-2013-0312 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0312): 389 Directory Server before 1.3.0.4 allows remote attackers to cause a denial of service (crash) via a zero length LDAP control sequence.
Any word on a bump here?
Hi, We have updated 389-ds-base to 1.3.4.7. This should resolve the issue. Thanks,
Referenced commit 5a7174bf7122309eee568651fb5f3413155f9fc2
All vulnerable versions removed from tree. GLSA Vote: No
