DSA 1541-1: New openldap2.3 packages fix denial of service
Posted on: 04/08/2008 11:10 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1541-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
April 08, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : openldap2.3
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-5707 CVE-2007-5708 CVE-2007-6698 CVE-2008-0658
Debian Bug : 440632 448644 465875

Several remote vulnerabilities have been discovered in OpenLDAP, a
free implementation of the Lightweight Directory Access Protocol. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2007-5707

Thomas Sesselmann discovered that slapd could be crashed by a
malformed modify requests.

CVE-2007-5708

Toby Blade discovered that incorrect memory handling in slapo-pcache
could lead to denial of service through crafted search requests.

CVE-2007-6698

It was discovered that a programming error in the interface to the
BDB storage backend could lead to denial of service through
crafted modify requests.

CVE-2008-0658

It was discovered that a programming error in the interface to the
BDB storage backend could lead to denial of service through
crafted modrdn requests.

For the stable distribution (etch), these problems have been fixed in
version 2.3.30-5+etch1.

For the unstable distribution (sid), these problems have been fixed in
version 2.4.7-6.1.

We recommend that you upgrade your openldap2.3 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 4.0 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30-5+etch1.diff.gz
Size/MD5 checksum: 311352 ab5ecd0da4ad32f39ca8ca34e97aea8e
http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz
Size/MD5 checksum: 2971126 c40bcc23fa65908b8d7a86a4a6061251
http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30-5+etch1.dsc
Size/MD5 checksum: 1205 64cd8bb9897af0062fd15e9b0fb8e32e

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_alpha.deb
Size/MD5 checksum: 193978 6e4e9f9c7f0936cb8d023bf2402af42e
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_alpha.deb
Size/MD5 checksum: 293070 35576398d8f2d5618bace89bbec87870
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_alpha.deb
Size/MD5 checksum: 1283688 a2eaf28c1c1285753e71122c5561e39f

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_amd64.deb
Size/MD5 checksum: 184540 6bc131c285864c654d28e90fd06000ee
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_amd64.deb
Size/MD5 checksum: 285256 995b228196a6ce2ccf5bcfa6521244c5
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_amd64.deb
Size/MD5 checksum: 1244474 3b455c3a4f221bfb82dd6f70dd5f851a

arm architecture (ARM)

http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_arm.deb
Size/MD5 checksum: 1188898 956eeea9cc2bd6e5e4e50145d05dd39e
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_arm.deb
Size/MD5 checksum: 141956 d9b143c4304ca81db461be2bdf30221c
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_arm.deb
Size/MD5 checksum: 254604 6b2744212645932232f285547c3465a0

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_hppa.deb
Size/MD5 checksum: 1306308 287335a1821aefc8efb102d6982aff98
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_hppa.deb
Size/MD5 checksum: 292048 4a4f3ef5fbbe1e8793bf1cd797e7b028
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_hppa.deb
Size/MD5 checksum: 180756 691a106d02d195b991b235515d0d174c

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_i386.deb
Size/MD5 checksum: 265946 e88fc90218b13aebb2a1578901a69824
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_i386.deb
Size/MD5 checksum: 1174252 903a34a92df100585dba3e0ec0f25987
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_i386.deb
Size/MD5 checksum: 154126 80588200bcbc4f6b8e3c60983eae4780

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_ia64.deb
Size/MD5 checksum: 379540 9487d1a5a9a03c4654b7a361d4c67753
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_ia64.deb
Size/MD5 checksum: 1660796 6df92fd96886f3316f26f89f2da0eb96
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_ia64.deb
Size/MD5 checksum: 239118 9ae940f8df656d2f233acefd0b2274bf

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_mips.deb
Size/MD5 checksum: 185506 8a1ab4fc883116059b529ffa00a8c346
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_mips.deb
Size/MD5 checksum: 1205680 431589f3aad740adde1dc121edfc2f0b
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_mips.deb
Size/MD5 checksum: 257964 10ae6c9739e5ec1cce436e82572d3086

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_mipsel.deb
Size/MD5 checksum: 1188188 eb29253ae4008e5e74135b9b03fda111
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_mipsel.deb
Size/MD5 checksum: 258576 83b99052b2853cd94b665ae621d3b66f
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_mipsel.deb
Size/MD5 checksum: 186780 316031a466a6e221789ee246c2fe96c6

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_powerpc.deb
Size/MD5 checksum: 272220 f8cb7024f7e5e00b94ff8d638cddb18d
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_powerpc.deb
Size/MD5 checksum: 188744 7bd626905a9443950a1cab4df28a4a59
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_powerpc.deb
Size/MD5 checksum: 1243640 6faf3ce99497a3e8d793eea3c0d0aca2

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_s390.deb
Size/MD5 checksum: 1240862 ccf0e13f6dc5756dc84d524cb9a033dd
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_s390.deb
Size/MD5 checksum: 291452 33deedd35ad575833f7227047b644fae
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_s390.deb
Size/MD5 checksum: 168348 4fa52da0e0d54466a804c40306ae9f83

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch1_sparc.deb
Size/MD5 checksum: 1167532 392f3e996130e2fa64c0005218d776e0
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch1_sparc.deb
Size/MD5 checksum: 256800 32585d0c8d9996050f74caf021af6f73
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch1_sparc.deb
Size/MD5 checksum: 154976 a083feee801f6c843b6509df9b6307b3


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH++iGXm3vHE4uyloRAsmmAJ4+qGN0+KYGQf+LkJURZvf2xNHc6wCgusMV
9+QeCZXT1tC9AYUHa0ESfNk=
=7PGS
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1541_1_new_openldap23_packages_fix_denial_of_service.html)