Two vulnerabilities have been reported in OpenLDAP, which can be exploited by malicious people to bypass certain security restrictions. 1) An error in the "back-ldap" component when a slave server forwards password failures to a master server can be exploited to successfully authenticate with an invalid password. Successful exploitation of this vulnerability requires a master and slave configuration with the "ppolicy_forward_updates" option. 2) An error in the "back-ndb" component when handling authentication for a "rootdn" Distinguished Name (DN) can be exploited to perform arbitrary actions (e.g. searching or updating) without a valid password. Successful exploitation of this vulnerability requires knowing the "rootdn" value as configured in the slapd.conf file. The vulnerabilities are reported in versions prior to 2.4.24.
ebuild added now.
Thank you. Arches, please stabilize =net-nds/openldap-2.4.24
Tested on SPARC, all tests passed. Please stabilise.
Thanks Alex. Stable for HPPA SPARC.
I think the two blocking bugs are not as important as the security fix that the new release brings. So amd64 done. The maintainer can fix the QA problems a bit later
ppc/ppc64 stable
x86 stable, agreed minor QA issues shouldn't block security stabilization
CVE assignment per http://www.openwall.com/lists/oss-security/2011/02/25/13: > http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607 CVE-2011-1024 openldap forwarded bind failure messages cause success > http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6661 CVE-2011-1025 openldap rootpw is not verified with slapd.conf
alpha/arm/ia64/s390/sh stable
Thanks, folks. GLSA Vote: yes.
Looks like http://www.openldap.org/its/index.cgi/Software Bugs?id=6768 was also fixed here. This is CVE-2011-1081 per http://www.openwall.com/lists/oss-security/2011/03/01/15.
CVE-2011-1081 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1081): modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to cause a denial of service (daemon crash) via a relative Distinguished Name (DN) modification request (aka MODRDN operation) that contains an empty value for the OldDN field. CVE-2011-1025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1025): bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require authentication for the root Distinguished Name (DN), which allows remote attackers to bypass intended access restrictions via an arbitrary password. CVE-2011-1024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1024): chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24, when a master-slave configuration with a chain overlay and ppolicy_forward_updates (aka authentication-failure forwarding) is used, allows remote authenticated users to bypass external-program authentication by sending an invalid password to a slave server.
@ldap-bugs Please remove vulnerable version from the tree.
No. We still support the 2.3 series for users that cannot migrate to 2.4 (mainly if they are still using slurpd replication).
Vote: YES. Added to pending GLSA request.
This issue was resolved and addressed in GLSA 201406-36 at http://security.gentoo.org/glsa/glsa-201406-36.xml by GLSA coordinator Yury German (BlueKnight).
