Summary: | net-nds/openldap < 2.3.39-r1 app-emulation/emul-linux-x86-baselibs <20071128 Denial of Service Vulnerabilities (CVE-2007-{5707,5708}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ldap-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/27424/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 196865 |
Description
Tobias Heinlein (RETIRED)
2007-10-29 19:20:10 UTC
2.3.39 has been added to the tree a few hours ago. Is this version ready to be stabilised? ldap team, please advise. do it :) arches please use the testkit with overlays useflag set (and without if you feel like spending more time) well given that it's only just been added and we haven't filed a stabilization bug i'd guess it's NOT ready to be stabilized. In light of the advisory though we can probably speed it up. Having read all the advisories though, it doesn't seem to be a major issue, in fact contrary to what I saw some classify the bug as, it does require special compile configuration and authorized access to add things to the DIT. In other words the impact is lessened considerably if you are running a normal recommended setup where you don't allow anonymous people to make modifications to your LDAP backend. I'll see if I can get hold of robbat / jokey and find out there thoughts, we'll look to stabilize it soon though. markus your overlay use flag still breaks all the syncrepl stuff. I'd like to fix it before we push it out. I'll catch you on irc. ok, ping security back when it's ready. *** Bug 195180 has been marked as a duplicate of this bug. *** After ~arch for a week, how is it doing? Enabled the syncprov overlay now by default so that it works sanely with new-style config system with 2.3.39-r1 Is this ready for stabling now? Jokey, I remember you OK'ed the stabling in a recent chat, but I lost the logs. Can you confirm that again, please? Yup, just go ahead for now, the bdb issue will be dealt with at a different version Arches, please test and mark stable net-nds/openldap-2.3.39-r1. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" *sigh* you'll need a emul-linux-x86-baselibs bump too... (In reply to comment #13) > *sigh* you'll need a emul-linux-x86-baselibs bump too... copy that sigh. ppc stable ppc64 stable Stable for HPPA. x86 stable alpha/ia64/sparc stable (In reply to comment #14) > (In reply to comment #13) > > *sigh* you'll need a emul-linux-x86-baselibs bump too... > > copy that sigh. > app-emulation/emul-linux-x86-baselibs-20071128 going in the tree in an hour contains the fix. amd64 done... vote is open. Vulnerability (1) does not affect the default configuration and vulnerability (2) only allows *authenticated* users to crash the server. I still tend to vote YES here. I vote YES. full YES then and filed. GLSA 200803-28 |