Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 843161 (CVE-2022-29155) - <net-nds/openldap-2.6.2: sql injection in back-sql slapd backend
Summary: <net-nds/openldap-2.6.2: sql injection in back-sql slapd backend
Status: CONFIRMED
Alias: CVE-2022-29155
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugs.openldap.org/show_bug.cg...
Whiteboard: B4 [cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-07 15:16 UTC by John Helmert III
Modified: 2022-06-02 23:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-07 15:16:06 UTC
CVE-2022-29155:

In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.

Not sure if this affects our stable versions, but fix is in 2.5.12 and
2.6.2.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-06-02 23:20:22 UTC
Yeah, we are "OpenLDAP 2.x before 2.5.x", I think is how to read it.