Hi All, Date: 19 May 2006 SecWatch ID: 1014107 Vendor URL: http://www.openldap.org/ Original Advisory: http://www.openldap.org/software/release/changes.html http://www.openldap...tic=1sortbydate=0f=h Description: A weakness with unknown impact has been reported in OpenLDAP. The weakness is caused due to a boundary error in slurpd within the handling of the status file. This can be exploited to cause a stack-based buffer overflow via an overly long hostname read from the status file. Affected: OpenLDAP version 2.3.21. Prior versions may also be affected. Solution: The vulnerability has been fixed in version 2.3.22 or later, available: http://www.openldap.org/software/download/ Credits: Reported by vendor. rgds Daxomatic
Seems very oscure to me and I don't think (not fully checked though) you can inject arbitrary hostnames in slurpd status file, so it's dependent on DNS and your configuration. So it looks far from being critical to me.
Hi Lcars Is the new version ready to be unmasked? If so, could you unmask it for stable? rgds Daxomatic
The new version has an issue with new-style config directory, mentioned in bug #133898 which upstream already knows about So really non-easy decision here...
http://tinyurl.com/s34lu This seems to be the patch - could somebody do a revbump of the old-config style version with this?
ldap team, please bump with provided patch or comment
As .24 was released some hours ago, I bumped right now
Arches please test and mark stable and sorry for the delay.
(In reply to comment #7) > Arches please test and mark stable and sorry for the delay. What version are we supposed to stable? Seems like the unaffected versions are still masked. # Markus Ullmann <jokey@gentoo.org (21 May 2006) # OpenLDAP serious config problem, see bug #133898 >=net-nds/openldap-2.3.23
Readjusted the package mask so that all versions below 2.3.24 are masked. 2.3.24 is the candidate for stable
alpha done.
*** Bug 130975 has been marked as a duplicate of this bug. ***
If mit-krb5 is used to satisfy the virtual/kerberos use flag dependency for kerberos, openldap will fail to build as mit-krb5 does not provide both kadm5/admin.h or hdb.h headers.
(In reply to comment #9) > Readjusted the package mask so that all versions below 2.3.24 are masked. > 2.3.24 is the candidate for stable # masking older versions due to security bug #134010 and bug #133898 <net-nds/openldap-2.3.24 Well uh... you've killed all stable openldap, not exactly a good thing, considering that noone besides alpha keyworded the fixed version.
*** Bug 135216 has been marked as a duplicate of this bug. ***
(In reply to comment #9) > Readjusted the package mask so that all versions below 2.3.24 are masked. > 2.3.24 is the candidate for stable Jokey, Please never ever do that again. You started to cause a world of pain for alot of people. We first have the arches test and decide if it can be marked stable. Then p.masking if needed. Carlo, Thanks for reverting that but please next time find the bug which caused the breakage and comment on it.
ppc stable
stable on ppc64
(In reply to comment #12) > If mit-krb5 is used to satisfy the virtual/kerberos use flag dependency for > kerberos, openldap will fail to build as mit-krb5 does not provide both > kadm5/admin.h or hdb.h headers. > Will/Can it be made to work with mit-krb5 or do I have to switch to heimdal?
a diff berween a last ebuild with the most arch keywork (openldap-2.2.28-r3) and this one, we can see that there are a lot more modules in contrib/ comes with openldap-2.3.24.ebuild . IMHO, it's a bad practice to introduce new "features" in an ebuild requires secutiry stable keyword which causes problem as seen with smbk5pwd module.
Created attachment 88202 [details, diff] openldap-2.3.24.ebuild.patch with new stuff removed. dsaschema, smbk5pwd, addrdnvalues are new stuff added in 2.3.24. I propose we remove them for now. ~/cvs/gentoo-x86/net-nds/openldap $ grep -l dsaschema *.ebuild openldap-2.3.24.ebuild ~/cvs/gentoo-x86/net-nds/openldap $ grep -l smbk5pwd *.ebuild openldap-2.3.24.ebuild ~/cvs/gentoo-x86/net-nds/openldap $ grep -l addrdnvalues *.ebuild openldap-2.3.24.ebuild
Okay, a short "what went wrong here" story to clarify things a bit. First let me say sorry for the wrong package mask. I just had 2.3 branch in mind when setting that mask. Then in 2.3.21-r1 I started testing the contrib overlays as described in bug #116045 but I decided to let it not hit the tree as I didn't have enough time to test. After 2.3.23 was out I prepared things to go live as in the meantime I was fine with it. Then the slurpd bug came in and just thought "okay, not that many changes (some overlays) so let it go. Afterwards at least I do know better now. Right now I prepare an 2.3.24-r1 ebuild without all the extra overlays that can go stable then (already talked to arches who stabled already to make sure they help here) and the new overlays (with what I learned from now) will go into an -r3 then which should be at best ~ keyworded or just stay hardmasked for further development. All in all not the best one would expect, I admit that but now try to make best out of it and get this crap sorted.
Okay, candidate for stable is now 2.3.24-r1
-r1 works fine here on ppc with mit-krb5, but r2 still fails.
Stable on hppa
amd64 stable.
SPARC stable
x86 done sorry about the delay
stable on ppc64 we are not CC'd...
GLSA 200606-17 arm, ia64, mips and s390 don't forget to mark stable to benifit from the GLSA.
Arm done
2.3.24 stable on mips.
