Two vulnerabilities have been reported in OpenLDAP, which can be exploited by malicious people to bypass certain security restrictions.
1) An error in the "back-ldap" component when a slave server forwards password failures to a master server can be exploited to successfully authenticate with an invalid password.
Successful exploitation of this vulnerability requires a master and slave configuration with the "ppolicy_forward_updates" option.
2) An error in the "back-ndb" component when handling authentication for a "rootdn" Distinguished Name (DN) can be exploited to perform arbitrary actions (e.g. searching or updating) without a valid password.
Successful exploitation of this vulnerability requires knowing the "rootdn" value as configured in the slapd.conf file.
The vulnerabilities are reported in versions prior to 2.4.24.
ebuild added now.
Thank you. Arches, please stabilize =net-nds/openldap-2.4.24
Tested on SPARC, all tests passed. Please stabilise.
Thanks Alex. Stable for HPPA SPARC.
I think the two blocking bugs are not as important as the security fix that the new release brings. So amd64 done. The maintainer can fix the QA problems a bit later
x86 stable, agreed minor QA issues shouldn't block security stabilization
CVE assignment per http://www.openwall.com/lists/oss-security/2011/02/25/13:
CVE-2011-1024 openldap forwarded bind failure messages cause success
CVE-2011-1025 openldap rootpw is not verified with slapd.conf
GLSA Vote: yes.
Looks like http://www.openldap.org/its/index.cgi/Software Bugs?id=6768 was also fixed here. This is CVE-2011-1081 per http://www.openwall.com/lists/oss-security/2011/03/01/15.
modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to
cause a denial of service (daemon crash) via a relative Distinguished Name
(DN) modification request (aka MODRDN operation) that contains an empty
value for the OldDN field.
bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require
authentication for the root Distinguished Name (DN), which allows remote
attackers to bypass intended access restrictions via an arbitrary password.
chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24, when a master-slave
configuration with a chain overlay and ppolicy_forward_updates (aka
authentication-failure forwarding) is used, allows remote authenticated
users to bypass external-program authentication by sending an invalid
password to a slave server.
Please remove vulnerable version from the tree.
No. We still support the 2.3 series for users that cannot migrate to 2.4 (mainly if they are still using slurpd replication).
Vote: YES. Added to pending GLSA request.
This issue was resolved and addressed in
GLSA 201406-36 at http://security.gentoo.org/glsa/glsa-201406-36.xml
by GLSA coordinator Yury German (BlueKnight).