Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 560424 (CVE-2015-6908)

Summary: <net-nds/openldap-2.4.43: ber_get_next denial of service vulnerability
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ldap-bugs
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1262393
Whiteboard: B3 [noglsa cve]
Package list:
=net-nds/openldap-2.4.44
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 539044    

Description Agostino Sarubbo gentoo-dev 2015-09-14 09:22:52 UTC
From ${URL} :

A flaw was found in the way the OpenLDAP server daemon (slapd) parsed certain BER data. A remote 
attacker could use this flaw to crash slapd via a specially crafted packet.

Upstream advisory (including a reproducer):

http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240

Upstream patch:

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=6fe51a9ab04fd28bbc171da3cf12f1c1040d6629

CVE assignment request:

http://seclists.org/oss-sec/2015/q3/535


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2016-09-16 04:46:05 UTC
Is version 2.4.44 contain the Fix or this vulnerability?

If it does we can stabilize it for both this bug and 539044
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 18:50:39 UTC
This was fixed in =net-nds/openldap-2.4.43. From http://www.openldap.org/software/release/changes.html:

> OpenLDAP 2.4.43 Release (2015/11/30)
> 	Fixed liblber remove obsolete assert (ITS#8240, ITS#8301)
> [...]


@ Arches,

please test and mark stable: =net-nds/openldap-2.4.44

Stable target(s): alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Agostino Sarubbo gentoo-dev 2016-11-19 13:53:36 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-19 13:55:57 UTC
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2016-11-23 09:21:19 UTC
Stable on alpha.
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-11 10:38:38 UTC
sparc stable
Comment 7 Markus Meier gentoo-dev 2017-01-13 16:51:21 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-15 15:52:04 UTC
ppc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-15 19:27:10 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-17 14:26:48 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-18 10:04:32 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-01-24 08:51:55 UTC
https://github.com/gentoo/gentoo/pull/3621
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-01-29 07:06:54 UTC
Tree is clean and the security mask remains for 2.3.x versions per maintainers feedback.
Comment 14 Anton Bolshakov 2017-01-29 11:27:27 UTC
(In reply to Aaron Bauman from comment #13)
> Tree is clean and the security mask remains for 2.3.x versions per
> maintainers feedback.

please revert back openldap-2.4.15-ppolicy.patch ASAP. It is in use by the stable version.

https://bugs.gentoo.org/show_bug.cgi?id=607560
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2017-01-29 11:54:49 UTC
(In reply to Anton Bolshakov from comment #14)
> (In reply to Aaron Bauman from comment #13)
> > Tree is clean and the security mask remains for 2.3.x versions per
> > maintainers feedback.
> 
> please revert back openldap-2.4.15-ppolicy.patch ASAP. It is in use by the
> stable version.
> 
> https://bugs.gentoo.org/show_bug.cgi?id=607560

reverted.  thanks.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2017-06-10 23:52:41 UTC
Can we please update the patch set and drop the vulnerable versions?
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2017-07-09 23:37:17 UTC
(In reply to Yury German from comment #16)
> Can we please update the patch set and drop the vulnerable versions?

The patch set is good.  The reversion was for one that is needed.  

@maintainer, can we drop 2.3.x yet?