[Pkg-openldap-devel] Bug#465875: slapd: CVE-2008-0658 denial of service for authenticated users in the BDB backend
Steve Langasek
vorlon at debian.org
Fri Feb 15 18:31:21 UTC 2008
tags 465933 confirmed upstream
severity 465933 important
thanks
On Fri, Feb 15, 2008 at 02:30:42PM +0100, Nico Golde wrote:
> Package: slapd
> Version: 2.3.39-1
> Severity: grave
> Tags: security patch
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for slapd.
> CVE-2008-0658[0]:
> | slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP
> | 2.3.39 allows remote authenticated users to cause a denial of service
> | (daemon crash) via a modrdn operation with a NOOP
> | (LDAP_X_NO_OPERATION) control, a related issue to CVE-2007-6698.
> If you fix this vulnerability please also include the CVE id
> in your changelog entry.
> You can find a patch for this on:
> http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-bdb/modrdn.c.diff?r1=1.197&r2=1.198&f=h
For the record, this patch is not present in 2.4.7, so testing and unstable
appear to also be vulnerable.
Downgrading the severity though, in keeping with the Debian security team's
policy on DoS bugs. If there's any evidence that this bug is exploitable as
a privilege escalation vector, the severity should of course be raised
again.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the Pkg-openldap-devel
mailing list