GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Tue Nov 28, 2006 9:26 pm Post subject: [ GLSA 200611-25 ] OpenLDAP: Denial of Service vulnerability |
 |
|
Gentoo Linux Security Advisory
Title: OpenLDAP: Denial of Service vulnerability (GLSA 200611-25)
Severity: normal
Exploitable: remote
Date: November 28, 2006
Bug(s): #154349
ID: 200611-25
Synopsis
A flaw in OpenLDAP allows remote unauthenticated attackers to cause a Denial of Service.
Background
OpenLDAP is a suite of LDAP-related applications and development tools.
Affected Packages
Package: net-nds/openldap
Vulnerable: < 2.3.27-r3
Unaffected: >= 2.3.27-r3
Unaffected: >= 2.2.28-r5 < 2.2.29
Unaffected: >= 2.1.30-r8 < 2.1.31
Architectures: All supported architectures
Description
Evgeny Legerov has discovered that the truncation of an incoming authcid longer than 255 characters and ending with a space as the 255th character will lead to an improperly computed name length. This will trigger an assert in the libldap code.
Impact
By sending a BIND request with a specially crafted authcid parameter to an OpenLDAP service, a remote attacker can cause the service to crash.
Workaround
There is no known workaround at this time.
Resolution
All OpenLDAP users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose "net-nds/openldap" |
References
CVE-2006-5779 |
|
News & Announcements
