← Back to team overview

enterprise-support team mailing list archive

  1. enterprise-support team
  2. Mailing list archive
  3. Message #04280

[Bug 1446809] Re: [SRU] denial of service via an LDAP search query (CVE-2012-1164, CVE-2013-4449, CVE-2015-1545)

  Thread PreviousDate PreviousThread Next 
This bug was fixed in the package openldap - 2.4.28-1.1ubuntu4.5

---------------
openldap (2.4.28-1.1ubuntu4.5) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via an LDAP search query
    with attrsOnly set to true. (LP: #1446809)
    - debian/patches/CVE-2012-1164.1.patch: don't leave empty slots in
      normalized attr values
    - debian/patches/CVE-2012-1164.2.patch: add FIXME comment, note that
      current patch is not ideal
    - debian/patches/CVE-2012-1164.3.patch: fix attr_dup2 when no values are
      present (attrsOnly = TRUE)
    - CVE-2012-1164
  * SECURITY UPDATE: fix rwm overlay reference counting
    - debian/patches/CVE-2013-4449.patch: fix reference counting
    - CVE-2013-4449
  * SECURITY UPDATE: fix NULL pointer dereference in deref_parseCtrl()
    - debian/patches/CVE-2015-1545.patch: require non-empty AttributeList
    - CVE-2015-1545

 -- Felipe Reyes <felipe.reyes@xxxxxxxxxxxxx>  Tue, 19 May 2015 11:53:17
-0300

** Changed in: openldap (Ubuntu Precise)
       Status: Triaged => Fix Released

** Changed in: openldap (Ubuntu Trusty)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to openldap in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1446809

Title:
  [SRU] denial of service via an LDAP search query (CVE-2012-1164,
  CVE-2013-4449, CVE-2015-1545)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1446809/+subscriptions

References

  Thread PreviousDate PreviousThread Next