Bug#397673: [Pkg-openldap-devel] Bug#397673: CVE-2006-5779: OpenLDAP
BIND Denial of Service Vulnerability
Quanah Gibson-Mount
quanah at stanford.edu
Thu Nov 9 00:02:59 CET 2006
--On Wednesday, November 08, 2006 1:56 PM -0800 Quanah Gibson-Mount
<quanah at stanford.edu> wrote:
>
>
> --On Wednesday, November 08, 2006 10:53 PM +0100 Stefan Fritsch
> <sf at sfritsch.de> wrote:
>
>>> Can you supply actual details? This statement isn't very useful
>>> without them.
>>
>> Ups. Of course:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5779
>> http://secunia.com/advisories/22750
>>
>> Proof of concept exploit (not tested) is at
>> http://gleg.net/vulndisco_meta.shtml
>
> I think upstream should handle this, I've already contacted the other OL
> developers.
>
> Of course, this guy is using CRAM-MD5, which isn't even a support SASL
> mech for OpenLDAP, so it is an interesting bug...
Upstream patch available at:
<http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/getdn.c>
getdn.c 1.124.2.4 -> 1.124.2.5
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
More information about the Pkg-openldap-devel
mailing list