197446 CVE-2007-5707 2007-10-29 19:20 0000 net-nds/openldap < 2.3.39-r1 app-emulation/emul-linux-x86-baselibs <20071128 Denial of Service Vulnerabilities (CVE-2007-{5707,5708}) 2008-03-19 22:07:43 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/27424/ B3 [glsa] P2 minor --- 196865 1 keytoaster@gentoo.org security@gentoo.org ldap-bugs@gentoo.org keytoaster@gentoo.org 2007-10-29 19:20:10 0000 Some vulnerabilities have been reported in OpenLDAP, which can be exploited by malicious users to cause a DoS (Denial of Service). 1) A vulnerability is caused due to the "add_filter_attrs()" function in servers/slapd/overlay/pcache.c not correctly NULL terminating "new_attrs", which can be exploited to crash slapd due to an out of bounds memory access. Successful exploitation may require that slapd runs as proxy-caching server. 2) An error within the normalisation of "objectClasses" can be exploited to crash a vulnerable server by sending a malformed "objectClasses" attribute. The vulnerabilities are reported in versions prior to 2.3.39. Note: Several other bugs, which may have a security impact, were also reported. SOLUTION: Update to version 2.3.39. keytoaster@gentoo.org 2007-10-29 19:24:07 0000 2.3.39 has been added to the tree a few hours ago. Is this version ready to be stabilised? ldap team, please advise. jokey@gentoo.org 2007-10-29 19:47:47 0000 do it :) arches please use the testkit with overlays useflag set (and without if you feel like spending more time) strerror@gentoo.org 2007-10-29 19:48:05 0000 well given that it's only just been added and we haven't filed a stabilization bug i'd guess it's NOT ready to be stabilized. In light of the advisory though we can probably speed it up. Having read all the advisories though, it doesn't seem to be a major issue, in fact contrary to what I saw some classify the bug as, it does require special compile configuration and authorized access to add things to the DIT. In other words the impact is lessened considerably if you are running a normal recommended setup where you don't allow anonymous people to make modifications to your LDAP backend. I'll see if I can get hold of robbat / jokey and find out there thoughts, we'll look to stabilize it soon though. strerror@gentoo.org 2007-10-29 19:48:38 0000 markus your overlay use flag still breaks all the syncrepl stuff. I'd like to fix it before we push it out. I'll catch you on irc. py@gentoo.org 2007-10-29 21:50:28 0000 ok, ping security back when it's ready. jokey@gentoo.org 2007-10-30 11:04:59 0000 *** Bug 195180 has been marked as a duplicate of this bug. *** rbu@gentoo.org 2007-11-05 19:32:10 0000 After ~arch for a week, how is it doing? jokey@gentoo.org 2007-11-08 06:24:37 0000 Enabled the syncprov overlay now by default so that it works sanely with new-style config system with 2.3.39-r1 rbu@gentoo.org 2007-11-16 00:06:50 0000 Is this ready for stabling now? rbu@gentoo.org 2007-11-26 02:02:31 0000 Jokey, I remember you OK'ed the stabling in a recent chat, but I lost the logs. Can you confirm that again, please? jokey@gentoo.org 2007-11-26 19:51:18 0000 Yup, just go ahead for now, the bdb issue will be dealt with at a different version rbu@gentoo.org 2007-11-26 20:14:24 0000 Arches, please test and mark stable net-nds/openldap-2.3.39-r1. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" kingtaco@gentoo.org 2007-11-26 21:16:37 0000 *sigh* you'll need a emul-linux-x86-baselibs bump too... rbu@gentoo.org 2007-11-26 21:31:38 0000 (In reply to comment #13) > *sigh* you'll need a emul-linux-x86-baselibs bump too... copy that sigh. ranger@gentoo.org 2007-11-26 23:14:29 0000 ppc stable ranger@gentoo.org 2007-11-27 01:28:18 0000 ppc64 stable jer@gentoo.org 2007-11-27 03:18:44 0000 Stable for HPPA. fauli@gentoo.org 2007-11-27 08:59:42 0000 x86 stable armin76@gentoo.org 2007-11-27 14:47:07 0000 alpha/ia64/sparc stable kingtaco@gentoo.org 2007-11-28 06:01:36 0000 (In reply to comment #14) > (In reply to comment #13) > > *sigh* you'll need a emul-linux-x86-baselibs bump too... > > copy that sigh. > app-emulation/emul-linux-x86-baselibs-20071128 going in the tree in an hour contains the fix. wolf31o2@gentoo.org 2007-11-28 23:22:26 0000 amd64 done... rbu@gentoo.org 2007-11-28 23:58:44 0000 vote is open. Vulnerability (1) does not affect the default configuration and vulnerability (2) only allows *authenticated* users to crash the server. I still tend to vote YES here. jaervosz@gentoo.org 2008-01-06 18:15:45 0000 I vote YES. rbu@gentoo.org 2008-01-06 23:03:48 0000 full YES then and filed. py@gentoo.org 2008-03-19 22:07:43 0000 GLSA 200803-28