Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 26728 - net-nds/openldap
Summary: net-nds/openldap
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Highest blocker (vote)
Assignee: Gentoo Security
Depends on: db4
  Show dependency tree
Reported: 2003-08-16 09:54 UTC by Daniel Ahlberg (RETIRED)
Modified: 2004-04-06 10:52 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---
klieber: Pending+

glsa-200403-12.xml.diff (glsa-200403-12.xml.diff,1.42 KB, patch)
2004-04-05 09:12 UTC, Joshua J. Berry (CondorDes) (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Ahlberg (RETIRED) gentoo-dev 2003-08-16 09:54:35 UTC
PACKAGE   : openldap 
SUMMARY   : Denial of Service and other (non-security) fixes 
DATE      : 2003-07-04 19:34:00 
ID        : CLA-2003:685 
 OpenLDAP[1] is an LDAPv2 and LDAPv3 server available for several 
 This update addresses the following issues in the OpenLDAP package 
 shipped with Conectiva Linux 9: 
 1) Denial of Service vulnerability[2] 
 A failed password extended operation (password EXOP) can cause 
 openldap to, if using the back-ldbm backend, attempt to free memory 
 which was never allocated, resulting in a segfault. The back-bdb 
 backend, on the other hand, has a memory leak in the same code. Both 
 conditions can be triggered remotely. 
 2) Crypt and md5 hash support[3] 
 The OpenLDAP packages shipped with Conectiva Linux 9 do not have 
 support for crypt and md5 password hashes. As a result, users 
 migrated to LDAP from system password files will not be able to 
 authenticate against the directory using simple binds. 
 3) One shot replication mode does not work[4] 
 The slurpd program shipped with OpenLDAP is responsible for 
 replicating data from a master OpenLDAP server to slave servers. It 
 has a replication mode called "one shot" which takes a replication 
 log file and attempts to replicate all changes to the specified 
 slaves and then exits. This mode was not working in openldap-2.1.16, 
 which is the version originally shipped with Conectiva Linux 9. 
 This announcement updates OpenLDAP for Conectiva Linux 9 to version 
 2.1.21, which, besides containing the fixes above and several others, 
 also includes many other improvements in indexes and performance. 
 It is recommended that all OpenLDAP users in Conectiva Linux 9 update 
 their packages. After the upgrade, the slapd service will be 
 automatically restarted if it was already running. 
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2003-08-21 00:04:42 UTC
we need OpenLDAP2.1 in the stable tree to resolve this (and thusly DB4.1).
Comment 2 solar (RETIRED) gentoo-dev 2003-09-22 00:26:59 UTC
db4 is nowhere near stable is it?
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2003-09-22 11:55:18 UTC
quite the opposite, I use DB4.1 and OpenLDAP2.1 on production servers. It's just that some other packages don't always treat DB4.[01] correctly.

See the list of dependancy bugs for thats to release db4.1
Comment 4 Ed Grimm 2004-02-07 16:13:53 UTC
Given the dependency is now satisfied, it may be a moot point for this time, but would it not be feasible to mark the package stable, and just leave its dependency unstable?  That way, the correct impression would be conveyed.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-02-07 16:55:06 UTC
repoman doesn't allow that.
emerge would complain about being unable to satisfy dependancies.
try it yourself, it's a good self-protection system.

however I am going to mail the -dev list and see about moving forward on 4.1
Comment 6 Paul de Vrieze (RETIRED) gentoo-dev 2004-02-08 05:06:01 UTC
db-4.1 has been marked stable, so that should be no impediment to marking a new openldap stable
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-02-08 12:15:31 UTC
2.1.26 is in stable now.
our 2.0* tree was the only stable stuff before, and it's definetly affected by this bug.
i haven't deleted the 2.0 ebuilds now, but i will once the GLSA is ready.

security folks:
what should be done on the GLSA now?

it's item #1 from the CLA announcement.
Comment 8 Aida Escriva-Sammer (RETIRED) gentoo-dev 2004-03-24 08:05:14 UTC
Would someone in ppc test 2.1.26? Thanks. 
Comment 9 Kurt Lieber (RETIRED) gentoo-dev 2004-03-30 01:15:40 UTC
PPC -- plztest.
Comment 10 Lars Weiler (RETIRED) gentoo-dev 2004-03-30 03:45:39 UTC
As openldap-2.1.27-r1 also run on my system, I made this one stable.  I guess there are only very few openldap-users on ppc ;-)
Comment 11 Lars Weiler (RETIRED) gentoo-dev 2004-03-30 16:51:39 UTC
Forgot to remove ppc@ from Cc.
Comment 12 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-03-30 23:17:42 UTC
I'll start drafting a GLSA for this.
Comment 13 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-03-31 01:12:27 UTC
Draft GLSA submitted for review.

mips, please test and stabilize.

Thanks in advance.
Comment 14 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-03-31 03:08:38 UTC
GLSA 200403-12.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-04-02 08:05:50 UTC
We have an error here (thanks to Stuart Moore for reporting it) :

2.1.13 has been released Mon, 24 Feb 2003
2.1.16 has been released Fri, 14 Mar 2003
The fix to passwd.c was committed on their CVS Sat, 22 Mar 2003
2.1.17 has been released Fri, 04 Apr 2003

Fix list for 2.1.17 includes our #2390 bug :

OpenLDAP 2.1.17 Release
    Fixed libldap_r thread pool context bug (ITS#2404)
    Fixed libldap T.61 convert bug (ITS#2388)
    Fixed libldap h_errno bug
    Fixed slapd cn=# bug (ITS#2387)
    Fixed slapd naming violation error checks
    Fixed slapd modify password uninit free bug (ITS#2390)
    Fixed slapd request flooding bug (ITS#2389)
    Fixed slurpd one shot mode (ITS#2385)
    Fixed slurpd core dump on exit (ITS#2363)
    Fixed slapadd oidm destroy bug (ITS#2409)
    Fixed clients critical argument handling
    Updated clients password file support
    Added slappasswd password file support
    Removed lint (ITS#2382)
    Build Environment
        Updated versioning system
        Added LDAP cache shell-only routines
        Updated slurpd(8) -u usage
        Misc man page updates

It's not critical since (I think) no stable version was released between 2.1.12 and 2.1.26.

Comment 16 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-02 09:16:22 UTC
2.0.23 was marked as stable at one point--but I don't think that's a problem--and 2.0.18 was in CVS but is old enough that it doesn't have a KEYWORDS variable.

It was hard to tell, as they didn't have any version numbers in their bug, but it looked as if the patch was against their 2.0.12 code.  Maybe I should check the source next time ...

What needs to be done about this?
Comment 17 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-04-02 23:18:51 UTC
Any objections if any ebuilds older than 2.1.26 are removed?
Comment 18 Kurt Lieber (RETIRED) gentoo-dev 2004-04-05 01:23:35 UTC
The GLSA was incorrect, but it's highly doubtful that anyone would be adversely affected by this.  Looking at viewcvs, it appears that there was never any versions between 2.1.12 and 2.1.17.  So, when we told our users to do "emerge ">=net-nds/openldap-2.1.13"" to fix the vulnerability, they would have had to (at least) install version 2.1.18 which does, in fact, contain the fix. 

So, I recommend we update the XML file on the web site, bump the revision number on the GLSA and re-close this issue.
Comment 19 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-05 09:12:42 UTC
Created attachment 28744 [details, diff]

Patch to fix the GLSA.

Can I go ahead and commit this?
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2004-04-06 07:27:28 UTC
The patch is OK for me. I think you should go ahead and commit it (and reclose the bug).

Comment 21 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-06 10:52:26 UTC
OK, patch is committed.