[Pkg-openldap-devel] Bug#488710: slapd: remote DoS

Steve Langasek vorlon at debian.org
Mon Jun 30 20:34:50 UTC 2008


severity 488710 important
forwarded 488710 http://www.openldap.org/its/index.cgi?findid=5580
thanks

On Mon, Jun 30, 2008 at 09:26:27PM +0200, Steffen Joeris wrote:
> Package: slapd
> Severity: grave
> Tags: security, patch
> Justification: user security hole

Unless something's changed, this justification (and bug description) is
inconsistent with the guidelines for security bug severities...

> The following email came over the public security list:

> Remote unauthenticated attackers can trigger an assertion in the ASN.1
> BER
> decoding of openlap and crash the server:
> http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580

> An upstream patch seems to be here:
> http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=1.120&r2=1.121&hideattic=1&sortbydate=0

According to the bug state, this bug fix is still being tested upstream, so
it would be premature to upload this patch yet.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org





More information about the Pkg-openldap-devel mailing list