[Pkg-openldap-devel] [SRM] (PRSC) Security fixes and possible database corruption

Michael Gilbert michael.s.gilbert at gmail.com
Mon Mar 28 23:10:57 UTC 2011


On Mon, 28 Mar 2011 22:21:14 +0100 Jonathan Wiltshire wrote:

> On Mon, Mar 28, 2011 at 10:41:23PM +0200, Matthijs Möhlmann wrote:
> > CVE-2011-1081:
> > modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to cause a denial of service (daemon crash) via a relative Distinguished Name (DN) modification request (aka MODRDN operation) that contains an empty value for the OldDN field.
> > Fix: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/modrdn.c.diff?hideattic=1&r1=text&tr1=1.181&r2=text&tr2=1.182&f=c
> > Impact: High, possibility to remotely crash slapd.
> 
> This is new in the tracker, and so might be DSA material. Security team,
> can you decide if this should be a point release or a DSA please?

The current process for a DSA is to submit an RT ticket [0] with the
intended fixes and description, then the security team will either work
on the DSA, or they will have you reassign it to release.debian.org.

Best wishes,
Mike

[0] http://wiki.debian.org/rt.debian.org#Security_Team



More information about the Pkg-openldap-devel mailing list