lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080305224606.GB9735@severus.strandboge.com>
Date: Wed, 5 Mar 2008 17:46:06 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-584-1] OpenLDAP vulnerabilities

=========================================================== 
Ubuntu Security Notice USN-584-1             March 05, 2008
openldap2.2, openldap2.3 vulnerabilities
CVE-2007-6698, CVE-2008-0658
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  slapd                           2.2.26-5ubuntu2.6

Ubuntu 6.10:
  slapd                           2.2.26-5ubuntu3.3

Ubuntu 7.04:
  slapd                           2.3.30-2ubuntu0.2

Ubuntu 7.10:
  slapd                           2.3.35-1ubuntu0.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Jonathan Clarke discovered that the OpenLDAP slapd server did not
properly handle modify requests when using the Berkeley DB backend
and the NOOP control was used. An authenticated user with modify
permissions could send a crafted modify request and cause a denial
of service via application crash. Ubuntu 7.10 is not affected by
this issue. (CVE-2007-6698)

Ralf Haferkamp discovered that the OpenLDAP slapd server did not
properly handle modrdn requests when using the Berkeley DB backend
and the NOOP control was used. An authenticated user with modrdn
permissions could send a crafted modrdn request and possibly cause a
denial of service via application crash. (CVE-2007-6698)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.6.diff.gz
      Size/MD5:   513643 5ec2226be9a7a7ed4b08c8c129943979
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.6.dsc
      Size/MD5:     1020 fa23dada98476932fb1e8c1e6d47a143
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz
      Size/MD5:  2626629 afc8700b5738da863b30208e1d3e9de8

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.6_amd64.deb
      Size/MD5:   130552 9e5d6589617f2c98632b8c7c5a4f2afc
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.6_amd64.deb
      Size/MD5:   165976 68032a07f814ef62556b539b17531161
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.6_amd64.deb
      Size/MD5:   961572 6074803431925962b7500f1223ecba0e

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.6_i386.deb
      Size/MD5:   118396 b8864fd7cb61e88cf5bd15ed5c87ce38
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.6_i386.deb
      Size/MD5:   146100 27c057986763be36fd3b267ba1844bb2
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.6_i386.deb
      Size/MD5:   873016 c392b5a10d1973fe2d6c264d496a0424

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.6_powerpc.deb
      Size/MD5:   132736 a21157c2d376e3b4cdd7fdb2e3b97a2e
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.6_powerpc.deb
      Size/MD5:   157168 a935b8931a79ec692fa3d10357feb811
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.6_powerpc.deb
      Size/MD5:   959554 bd801628bccfdc5624d9386d0fb6c2d1

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.6_sparc.deb
      Size/MD5:   120696 8efb65196a17efc1b397cadc874eb201
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.6_sparc.deb
      Size/MD5:   148180 83781a94080002f4363d2fd557cec845
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.6_sparc.deb
      Size/MD5:   903560 0ed257e45f1ae749cb3a0b4591328db4

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu3.3.diff.gz
      Size/MD5:   514824 2e3cf6b4dbcfc951d00875df98394a0e
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu3.3.dsc
      Size/MD5:     1020 4cb25054b1a571a1c228d06b6fa8872a
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz
      Size/MD5:  2626629 afc8700b5738da863b30208e1d3e9de8

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu3.3_amd64.deb
      Size/MD5:   130748 cec7e5a6bbd103d02f59b171e6d3cc62
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu3.3_amd64.deb
      Size/MD5:   166720 eddb5a050a7637767c89f7f84b686bfc
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu3.3_amd64.deb
      Size/MD5:   958496 551d5753a74f213bfc2cfd30849beae5

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu3.3_i386.deb
      Size/MD5:   121340 35ae855094d28ba27c6adbd2dbe52125
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu3.3_i386.deb
      Size/MD5:   152528 69a0aff9de16526d748439e3c7328ed3
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu3.3_i386.deb
      Size/MD5:   900950 a594fcc12375717e00501ea309d19eff

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu3.3_powerpc.deb
      Size/MD5:   133704 fe69e3b733b16e50360836197f7cecdc
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu3.3_powerpc.deb
      Size/MD5:   158892 7310d1dd87e09123350b9338ebf20216
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu3.3_powerpc.deb
      Size/MD5:   966698 424729c177d675a259d311d10aebbb18

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu3.3_sparc.deb
      Size/MD5:   121598 f43c977b60ba22fa469141867d6bcfb2
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu3.3_sparc.deb
      Size/MD5:   149344 766dab29f1fd99af475b331440c4c4cc
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu3.3_sparc.deb
      Size/MD5:   909576 733c2d21d553061af3bfb4d6792a24d1

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.2.diff.gz
      Size/MD5:   140603 0f1ab4e378c92fb2e12887ec9046e0cc
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.2.dsc
      Size/MD5:     1295 ee74d8bd01147a16a304705477171875
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz
      Size/MD5:  2971126 c40bcc23fa65908b8d7a86a4a6061251

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.2_amd64.deb
      Size/MD5:   187680 68efce79af7efe0a1d08201060361653
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.2_amd64.deb
      Size/MD5:   292344 da795196baacdaac42894aa055629bea
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.2_amd64.deb
      Size/MD5:  1228068 36e10789bdb22aa92428ec6d77d297b7

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.2_i386.deb
      Size/MD5:   156110 034749aedc798753db0d9541c2c8b74e
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.2_i386.deb
      Size/MD5:   267460 f0ffcab028cd2237b6dad5592c454659
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.2_i386.deb
      Size/MD5:  1154810 73212a3a90a50d0fa342e886b61993f3

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.2_powerpc.deb
      Size/MD5:   203704 6f1d507298df6933ce5ac77fb52ebfb2
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.2_powerpc.deb
      Size/MD5:   294438 882c7302c977a3ef131b217ec8851eb7
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.2_powerpc.deb
      Size/MD5:  1280484 2b30e19235b699552a37db6aaa40e874

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.2_sparc.deb
      Size/MD5:   164430 d2e7b34d207937643dc45a3cdebd7e93
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.2_sparc.deb
      Size/MD5:   264284 245d63568559de9d2692b59e45a78462
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.2_sparc.deb
      Size/MD5:  1169954 44205386809e93336c4610c43fda8786

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.2.diff.gz
      Size/MD5:   151903 2cd8ba0d9c70957b9956e427809578b7
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.2.dsc
      Size/MD5:     1305 57e636f0f209825bdab902f327bc5c9a
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35.orig.tar.gz
      Size/MD5:  2947629 5096146b7a7eb6ce3b0a97549347b5be

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.2_amd64.deb
      Size/MD5:   190006 3163216fad39b4f6f6eeb1d5a7a0dee6
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.2_amd64.deb
      Size/MD5:   347150 1ee13cb4baf6332cfc41842c56f24cbc
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.2_amd64.deb
      Size/MD5:  1296380 c833d82c46dcf383895269e4382fdb44

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.2_i386.deb
      Size/MD5:   155416 a55085d0ddd8c5efcf922cb4654ee432
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.2_i386.deb
      Size/MD5:   314722 1e36f20fb6a2c7edf227a32e7c15702d
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.2_i386.deb
      Size/MD5:  1216432 1e3cef622a3763e3f52c71cf799caf67

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.2_powerpc.deb
      Size/MD5:   205216 25bf9ad7302ac5bfdd7aa17316bbfc7d
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.2_powerpc.deb
      Size/MD5:   345862 3891c829c88334a631e29d3ab65f970e
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.2_powerpc.deb
      Size/MD5:  1345548 2b31e34aeb9db8cf819e5e9f64fb2499

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.2_sparc.deb
      Size/MD5:   166440 9729d0640a24245d806a1eaa4da57e25
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.2_sparc.deb
      Size/MD5:   306882 7b8e476dcc15ce5d9d7b36de14617559
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.2_sparc.deb
      Size/MD5:  1229006 496bc48c65314709cb2bb0f2570b7881



Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ