Some vulnerabilities have been reported in OpenLDAP, which can be exploited by malicious users to cause a DoS (Denial of Service). 1) A vulnerability is caused due to the "add_filter_attrs()" function in servers/slapd/overlay/pcache.c not correctly NULL terminating "new_attrs", which can be exploited to crash slapd due to an out of bounds memory access. Successful exploitation may require that slapd runs as proxy-caching server. 2) An error within the normalisation of "objectClasses" can be exploited to crash a vulnerable server by sending a malformed "objectClasses" attribute. The vulnerabilities are reported in versions prior to 2.3.39. Note: Several other bugs, which may have a security impact, were also reported. SOLUTION: Update to version 2.3.39.
2.3.39 has been added to the tree a few hours ago. Is this version ready to be stabilised? ldap team, please advise.
do it :) arches please use the testkit with overlays useflag set (and without if you feel like spending more time)
well given that it's only just been added and we haven't filed a stabilization bug i'd guess it's NOT ready to be stabilized. In light of the advisory though we can probably speed it up. Having read all the advisories though, it doesn't seem to be a major issue, in fact contrary to what I saw some classify the bug as, it does require special compile configuration and authorized access to add things to the DIT. In other words the impact is lessened considerably if you are running a normal recommended setup where you don't allow anonymous people to make modifications to your LDAP backend. I'll see if I can get hold of robbat / jokey and find out there thoughts, we'll look to stabilize it soon though.
markus your overlay use flag still breaks all the syncrepl stuff. I'd like to fix it before we push it out. I'll catch you on irc.
ok, ping security back when it's ready.
*** Bug 195180 has been marked as a duplicate of this bug. ***
After ~arch for a week, how is it doing?
Enabled the syncprov overlay now by default so that it works sanely with new-style config system with 2.3.39-r1
Is this ready for stabling now?
Jokey, I remember you OK'ed the stabling in a recent chat, but I lost the logs. Can you confirm that again, please?
Yup, just go ahead for now, the bdb issue will be dealt with at a different version
Arches, please test and mark stable net-nds/openldap-2.3.39-r1. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
*sigh* you'll need a emul-linux-x86-baselibs bump too...
(In reply to comment #13) > *sigh* you'll need a emul-linux-x86-baselibs bump too... copy that sigh.
ppc stable
ppc64 stable
Stable for HPPA.
x86 stable
alpha/ia64/sparc stable
(In reply to comment #14) > (In reply to comment #13) > > *sigh* you'll need a emul-linux-x86-baselibs bump too... > > copy that sigh. > app-emulation/emul-linux-x86-baselibs-20071128 going in the tree in an hour contains the fix.
amd64 done...
vote is open. Vulnerability (1) does not affect the default configuration and vulnerability (2) only allows *authenticated* users to crash the server. I still tend to vote YES here.
I vote YES.
full YES then and filed.
GLSA 200803-28