Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 407941 (CVE-2012-1164) - <net-nds/openldap-2.4.30: Attributes Only LDAP Search Denial of Service Vulnerability (CVE-2012-1164)
Summary: <net-nds/openldap-2.4.30: Attributes Only LDAP Search Denial of Service Vulne...
Status: RESOLVED FIXED
Alias: CVE-2012-1164
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/48372/
Whiteboard: C3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-12 15:24 UTC by Agostino Sarubbo
Modified: 2014-07-01 00:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-03-12 15:24:34 UTC
From secunia security advisory at $URL:

Description:
The vulnerability is caused due to an assertion error when processing certain search results and can be exploited via a LDAP search request with "attrsOnly" set to true (e.g. ldapsearch -A).

Successful exploitation requires a proxy server configured to use both a relay backend and a translucent overlay.

The vulnerability is reported in versions prior to 2.4.30.


Solution
Update to version 2.4.30.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2012-03-12 19:28:05 UTC
in tree and ready for stabilization.
target keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2012-03-13 12:13:25 UTC
amd64 stable
Comment 3 Brent Baude (RETIRED) gentoo-dev 2012-03-13 15:25:08 UTC
ppc and ppc64 done
Comment 4 Jeroen Roovers gentoo-dev 2012-03-13 16:26:57 UTC
Stable for HPPA.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-03-15 18:08:39 UTC
x86 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2012-03-17 17:37:47 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-03-19 05:37:14 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 8 Sean Amoss gentoo-dev Security 2012-06-24 23:34:14 UTC
GLSA vote: yes.

Adding to existing GLSA draft.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-07-12 01:08:02 UTC
CVE-2012-1164 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1164):
  slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of
  service (assertion failure and daemon exit) via an LDAP search query with
  attrsOnly set to true, which causes empty attributes to be returned.
Comment 10 Sergey Popov gentoo-dev Security 2014-03-04 06:59:38 UTC
@maintainers, cleanup or mask vulnerable versions, please
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-30 22:39:20 UTC
Maintainer(s), Thank you for cleanup!
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-07-01 00:22:10 UTC
This issue was resolved and addressed in
 GLSA 201406-36 at http://security.gentoo.org/glsa/glsa-201406-36.xml
by GLSA coordinator Yury German (BlueKnight).