[Pkg-openldap-devel] Bug#617606: openldap: [PATCH] CVE-2011-1024 CVE-2011-1025 and CVE-2011-1081
Jamie Strandboge
jamie at ubuntu.com
Thu Apr 7 17:50:51 UTC 2011
Package: openldap
Version: 2.4.23-6
Severity: normal
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu natty ubuntu-patch
*** /tmp/tmplKX1Up
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: fix successful anonymous bind via chain overlay when
using forwarded authentication failures
- debian/patches/CVE-2011-1024
- CVE-2011-1024
* SECURITY UPDATE: verify password when authenticating to rootdn and using ndb
backend. Note: Ubuntu is not compiled with --enable-ndb by default
- debian/patches/CVE-2011-1025
- CVE-2011-1025
* SECURITY UPDATE: fix DoS when processing unauthenticated modrdn requests
and requestDN is empty
- debian/patches/CVE-2011-1081
- CVE-2011-1081
- LP: #742104
Upstream patchsets and information are located in DEP-3 comments of the
patch. While CVE-2011-1024 and CVE-2011-1025 are pretty minor,
CVE-2011-1081 is at least a medium as a crafted unauthenticated modrdn
request can DoS the server. Attaching all patches here since the Debian
CVE tracker[1] lists this bug for CVE-2011-1081. Thanks for considering
the patch.
Jamie
[1] http://security-tracker.debian.org/tracker/CVE-2011-1081
-- System Information:
Debian Release: squeeze/sid
APT prefers natty-updates
APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-8-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmpEEoouf
Type: text/x-diff
Size: 4209 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20110407/fb30503e/attachment.diff>
More information about the Pkg-openldap-devel
mailing list