Summary: | <net-nds/openldap-2.4.58: multiple vulnerabilities (CVE-2020-{20178,25709}, CVE-2021-27212) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | hydrapolic, ldap-bugs, zlogene |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.openldap.org/show_bug.cgi?id=9454 | ||
Whiteboard: | B3 [glsa? cleanup] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 818739 | ||
Bug Blocks: |
Description
John Helmert III
2021-02-15 22:10:10 UTC
CVE-2020-20178: A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability. Issue: https://bugs.openldap.org/show_bug.cgi?id=9454 Seems to be the same fix as the first. CVE-2021-25709: A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability. Issue: https://bugs.openldap.org/show_bug.cgi?id=9383 Patch: https://git.openldap.org/openldap/openldap/-/commit/67670f4544e28fb09eb7319c39f404e1d3229e65 Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. (In reply to John Helmert III from comment #0) > CVE-2021-27212: > > In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion > failure in slapd can occur in the issuerAndThisUpdateCheck function via a > crafted packet, resulting in a denial of service (daemon exit) via a short > timestamp. This is related to schema_init.c and checkTime. > > > Unreleased patch: > https://git.openldap.org/openldap/openldap/-/commit/ > 9badb73425a67768c09bcaed1a9c26c684af6c30 > > Maintainers, please apply the patch if it looks reasonable to you. (In reply to John Helmert III from comment #1) > CVE-2020-20178: > > A flaw was found in OpenLDAP. This flaw allows an attacker who can send a > malicious packet to be processed by OpenLDAP’s slapd server, to trigger an > assertion failure. The highest threat from this vulnerability is to system > availability. > > Issue: https://bugs.openldap.org/show_bug.cgi?id=9454 > > Seems to be the same fix as the first. In 2.4.58. > > CVE-2021-25709: > > A flaw was found in OpenLDAP. This flaw allows an attacker who can send a > malicious packet to be processed by OpenLDAP’s slapd server, to trigger an > assertion failure. The highest threat from this vulnerability is to system > availability. > > Issue: https://bugs.openldap.org/show_bug.cgi?id=9383 > Patch: > https://git.openldap.org/openldap/openldap/-/commit/67670f4544e28fb09eb7319c39f404e1d3229e65 In 2.4.56. |