Summary: | <net-nds/openldap-2.4.45: Double free vulnerability in servers/slapd/back-mdb/search.c | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | henson, ldap-bugs |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1456712 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
=net-nds/openldap-2.4.45
|
Runtime testing required: | Yes |
Description
Agostino Sarubbo
2017-05-30 14:37:56 UTC
Reference: http://www.openldap.org/software/release/changes.html OpenLDAP 2.4.45 Release (2017/06/01) Fixed slapd-mdb double free with size zero paged result (ITS#8655) @maintainers, please call for stable when ready. arches, please stabilize. target keywords: alpha,amd64,arm,arm64,ia64,ppc,ppc64,x86,hppa,s390,sparc. "USE='-minimal berkdb' FEATURES=test ebuild openldap-2.4.45.ebuild test" should PASS. Expected runtime around 30 minutes. Arch teams likely not proceeding until package list is filled as appropriate. amd64 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6c39556943d00d8462d523def8038deb75a6c0a commit f6c39556943d00d8462d523def8038deb75a6c0a Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2018-11-27 16:00:55 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2018-11-27 16:00:55 +0000 net-nds/openldap-2.4.45-r0: alpha stable Bug: http://bugs.gentoo.org/620204 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> net-nds/openldap/openldap-2.4.45.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Stable on alpha. I've mentioned this a few times before; openldap operating as a server is only supported by upstream if it is using the lmdb version that it comes with. This ebuild has a dependency on >=dev-db/lmdb-0.9.18, whereas openldap 2.4.45 is bundled with lmdb-0.9.21. Running with an older version is not just unsupported, it's a really bad idea for a production system. Please ensure the openldap version bump process includes bumping the related lmdb version and updating the dependency. Thanks... x86 stable arm64 stable ia64 stable ppc stable ppc64 stable hppa stable done and cleaned |