Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 767184 (CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230)

Summary: <net-nds/openldap-2.4.57: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ldap-bugs, zlogene
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=630034
Whiteboard: B3 [noglsa cve]
Package list:
net-nds/openldap-2.4.57 *
 Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 20:02:25 UTC 
* CVE-2020-36230

Description:
"A flaw was discovered in OpenLDAP before 2.4.57 leading in an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service."

Bug: https://bugs.openldap.org/show_bug.cgi?id=9423

* CVE-2020-36229

Description:
"A flaw was discovered in ldap_X509dn2bv in OpenLDAP before 2.4.57 leading to a slapd crash in the X.509 DN parsing in ad_keystring, resulting in denial of service."

Bug: https://bugs.openldap.org/show_bug.cgi?id=9425

* CVE-2020-36228

Description:
"An integer underflow was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Certificate List Exact Assertion processing, resulting in denial of service."

Bug: https://bugs.openldap.org/show_bug.cgi?id=9427

* CVE-2020-36227

Description:
"A flaw was discovered in OpenLDAP before 2.4.57 leading to an infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service."

Bug: https://bugs.openldap.org/show_bug.cgi?id=9428

* CVE-2020-36226

Description:
"A flaw was discovered in OpenLDAP before 2.4.57 leading to a memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service."

Bug: https://bugs.openldap.org/show_bug.cgi?id=9413

* CVE-2020-36225

Description:
"A flaw was discovered in OpenLDAP before 2.4.57 leading to a double free and slapd crash in the saslAuthzTo processing, resulting in denial of service."

Bug: https://bugs.openldap.org/show_bug.cgi?id=9412

* CVE-2020-36224

Description:
"A flaw was discovered in OpenLDAP before 2.4.57 leading to an invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service."

Bug: https://bugs.openldap.org/show_bug.cgi?id=9409

* CVE-2020-36223

Description:
"A flaw was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read)."

Bug: https://bugs.openldap.org/show_bug.cgi?id=9408

* CVE-2020-36222

Description:
"A flaw was discovered in OpenLDAP before 2.4.57 leading to an assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service."

Bug: https://bugs.openldap.org/show_bug.cgi?id=9406
Bug: https://bugs.openldap.org/show_bug.cgi?id=9407

* CVE-2020-36221

Description:
"An integer underflow was discovered in OpenLDAP before 2.4.57 leading to slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck)."

Bug: https://bugs.openldap.org/show_bug.cgi?id=9404
Bug: https://bugs.openldap.org/show_bug.cgi?id=9424
Comment 1 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-01-26 09:54:32 UTC 
Done.