From ${URL} : servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0. Upstream patch: https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Reference: http://www.openldap.org/software/release/changes.html OpenLDAP 2.4.45 Release (2017/06/01) Fixed slapd-mdb double free with size zero paged result (ITS#8655)
@maintainers, please call for stable when ready.
arches, please stabilize. target keywords: alpha,amd64,arm,arm64,ia64,ppc,ppc64,x86,hppa,s390,sparc. "USE='-minimal berkdb' FEATURES=test ebuild openldap-2.4.45.ebuild test" should PASS. Expected runtime around 30 minutes.
Arch teams likely not proceeding until package list is filled as appropriate.
amd64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6c39556943d00d8462d523def8038deb75a6c0a commit f6c39556943d00d8462d523def8038deb75a6c0a Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2018-11-27 16:00:55 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2018-11-27 16:00:55 +0000 net-nds/openldap-2.4.45-r0: alpha stable Bug: http://bugs.gentoo.org/620204 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> net-nds/openldap/openldap-2.4.45.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Stable on alpha.
I've mentioned this a few times before; openldap operating as a server is only supported by upstream if it is using the lmdb version that it comes with. This ebuild has a dependency on >=dev-db/lmdb-0.9.18, whereas openldap 2.4.45 is bundled with lmdb-0.9.21. Running with an older version is not just unsupported, it's a really bad idea for a production system. Please ensure the openldap version bump process includes bumping the related lmdb version and updating the dependency. Thanks...
x86 stable
arm64 stable
ia64 stable
ppc stable
ppc64 stable
hppa stable
done and cleaned