touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #76307
[Bug 1446809] Re: [SRU] denial of service via an LDAP search query with attrsOnly set to true (CVE-2012-1164)
** Description changed:
[Impact]
* slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a
denial of service (assertion failure and daemon exit) via an LDAP search
query with attrsOnly set to true, which causes empty attributes to be
returned.
* Trusty ships 2.4.31 which comes with a fix for this.
[Test Case]
TBD
[Regression Potential]
- TBD
+ * this set of patches adds validations to avoid segfaults, so no
+ regression is expected.
[Other Info]
* Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143
* http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html
* Patches backported:
- - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)
- - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)
- - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3)
+ - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)
+ - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)
+ - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1446809
Title:
[SRU] denial of service via an LDAP search query with attrsOnly set to
true (CVE-2012-1164)
Status in openldap package in Ubuntu:
New
Status in openldap package in Debian:
Fix Released
Bug description:
[Impact]
* slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a
denial of service (assertion failure and daemon exit) via an LDAP
search query with attrsOnly set to true, which causes empty attributes
to be returned.
* Trusty ships 2.4.31 which comes with a fix for this.
[Test Case]
TBD
[Regression Potential]
* this set of patches adds validations to avoid segfaults, so no
regression is expected.
[Other Info]
* Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143
* http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html
* Patches backported:
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1446809/+subscriptions
References