[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B16E004.4090903@debian.org>
Date: Wed, 02 Dec 2009 22:45:40 +0100
From: Giuseppe Iuculano <iuculano@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1943-1] New openldap2.3/openldap packages fix SSL certificate
verification weakness
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1943 security@...ian.org
http://www.debian.org/security/ Giuseppe Iuculano
December 02, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Packages : openldap openldap2.3
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
Debian bug : 553432
CVE ID : CVE-2009-3767
It was discovered that OpenLDAP, a free implementation of the Lightweight
Directory Access Protocol, when OpenSSL is used, does not properly handle a '\0'
character in a domain name in the subject's Common Name (CN) field of an X.509
certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate Certification Authority.
For the oldstable distribution (etch), this problem has been fixed in version
2.3.30-5+etch3 for openldap2.3.
For the stable distribution (lenny), this problem has been fixed in version
2.4.11-1+lenny1 for openldap.
For the testing distribution (squeeze), and the unstable distribution (sid),
this problem has been fixed in version 2.4.17-2.1 for openldap.
We recommend that you upgrade your openldap2.3/openldap packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips,
mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz
Size/MD5 checksum: 2971126 c40bcc23fa65908b8d7a86a4a6061251
http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30-5+etch3.dsc
Size/MD5 checksum: 1214 36efc1cf2a98c54d4b1da0910e273843
http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30-5+etch3.diff.gz
Size/MD5 checksum: 315058 310ce752b78ff3227d78dcd8c1bd60a5
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_alpha.deb
Size/MD5 checksum: 293108 2172048d5f8b8b7f379b3414fc5c2e37
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_alpha.deb
Size/MD5 checksum: 1280772 ab65f162a40607c1787f9b03783a7563
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_alpha.deb
Size/MD5 checksum: 193768 602a6da790648dd8b0af7d9f386b5c6e
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_amd64.deb
Size/MD5 checksum: 285554 42480b47018eb1d70b9e62d05b925a5b
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_amd64.deb
Size/MD5 checksum: 1244570 b88256f8259516b09c51f166ff6b4aea
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_amd64.deb
Size/MD5 checksum: 184652 716cc53985a031d1fe03fede778d6ae5
arm architecture (ARM)
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_arm.deb
Size/MD5 checksum: 1190314 8686c6a9a9240e6113f92c8bb20d7e1a
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_arm.deb
Size/MD5 checksum: 254828 49d9c9a250fb4a5a828de5791ee92380
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_arm.deb
Size/MD5 checksum: 155876 bb45d3104fe4b9811fdb3063da42d3b1
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_hppa.deb
Size/MD5 checksum: 1307146 698d7416e4cc544522ce2e25ac9c0fce
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_hppa.deb
Size/MD5 checksum: 292798 eb9d6d19560a1153cc58ccae3f354a4e
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_hppa.deb
Size/MD5 checksum: 182568 caade74265ee9d7b8ac77c844c23b413
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_i386.deb
Size/MD5 checksum: 1177552 f3ccf11b82474593af5e30a272f9edb9
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_i386.deb
Size/MD5 checksum: 148744 168e58797e74f9b3b6d3c337b6369ca7
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_i386.deb
Size/MD5 checksum: 266538 3be52b8402d06913624a3e808be58ecb
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_ia64.deb
Size/MD5 checksum: 239248 78d1537b3a106824ff5d076e828a0312
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_ia64.deb
Size/MD5 checksum: 379904 dbc96e1a44dce4bb5f79b9c043823293
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_ia64.deb
Size/MD5 checksum: 1660854 fcc2873ffd50e45c956d9bcc81d83c51
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_mips.deb
Size/MD5 checksum: 258210 298f5a83a1efd8c035644fd58df21f2c
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_mips.deb
Size/MD5 checksum: 185598 b6c67ee072f2de03820e7ce11edb39c3
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_mips.deb
Size/MD5 checksum: 1205768 3f312958af5ea129384513e5fab72208
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_mipsel.deb
Size/MD5 checksum: 258852 d7ba57787989e3fb5035fce34b04965d
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_mipsel.deb
Size/MD5 checksum: 187100 46910e3923926ac060c13a7a53f8cac4
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_mipsel.deb
Size/MD5 checksum: 1188878 5698884b42d7206c2b0c134602861354
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_powerpc.deb
Size/MD5 checksum: 188914 e03855167b8e13bdb72e47baa9644f86
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_powerpc.deb
Size/MD5 checksum: 272378 f5741b7ac8f4172e7481f5c2e699231b
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_powerpc.deb
Size/MD5 checksum: 1243754 2a8b933e956e5ac4bc29028688bb09ec
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_s390.deb
Size/MD5 checksum: 291822 6b47ac5b7fbc269c1973c494d5dadbc2
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_s390.deb
Size/MD5 checksum: 168716 f72b023d98d61565c624f7acbf953baf
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_s390.deb
Size/MD5 checksum: 1241532 0167eb506b063de5435181f40c6cf809
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_sparc.deb
Size/MD5 checksum: 1177712 770a58d0c60ad11e5ca4cf25159fe2c7
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_sparc.deb
Size/MD5 checksum: 153682 d8bf20f2a94456451d4ea29d3237d280
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_sparc.deb
Size/MD5 checksum: 258560 4bfd77d56852608813f158ecfd91b42b
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64,
mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/o/openldap/openldap_2.4.11-1+lenny1.diff.gz
Size/MD5 checksum: 148075 024b717169f42734ee5650ebe2978631
http://security.debian.org/pool/updates/main/o/openldap/openldap_2.4.11-1+lenny1.dsc
Size/MD5 checksum: 1831 ca4cb86b4847a59f95275ff2f4d0e173
http://security.debian.org/pool/updates/main/o/openldap/openldap_2.4.11.orig.tar.gz
Size/MD5 checksum: 4193523 d4e8669e2c9b8d981e371e97e3cf92d9
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 3624752 5b4e467360ecd8cc897b03b5aca57dad
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 205526 3b083869976ab4d8d8df69d27fe9480e
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 280526 4ed333757fef7e98d89c5edda6589b04
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 1537448 98d6aeab748560a491e0b526d930fc0c
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 1013148 cc656603f7ae0eacc2b3c22dd1fae967
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 285128 e526e547a4af2c13bf3ae90dfdf023a2
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 1493300 31c077d63cc2ff159927939cadb29808
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 299612 e148216f77a9136adb19acd8df026d6d
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 267470 f903f46433faa1d2b6b203e50aaed3d8
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 881074 de337737dd93af0b81bd90e3c6f23377
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 3664994 8ad4581bd54e1ed7a8f3c1c8bf210c17
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 204896 c0dba3b62aa14392d29f831d6c87206d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 280140 ccaed923684d35304f50f27fc6b868b3
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 248918 a08cf9fd18ce8806be437c364179c2b3
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 877400 614df898211cc5311a62159f6ee21b93
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 1405962 5e1e62d6f0a5984486fa2eaa478eab38
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 180520 96b5fe5d50b9a1d59eb5ab03489a1b90
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 3572646 a8e804a9e966a57306a9229acd11ff80
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 1533292 8d5c2d83596b10c9d3ee7a4dcb692026
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 3619256 2ad8452962291b553fadc8bb6398f834
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 200874 27205d8a86701cb133f7507eeef5e76a
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 283816 1163f67e39b08c10cf492b24bd526f24
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 264158 905749f1e385f9d93c2358b05dc42dfb
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 999386 6a071952604a9c30483fca7f3a3754ec
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 189442 879dac84b581979646c49bde9743c630
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 286808 2dcb4f8e5514d9e4d9072b4853da322d
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 892068 449ba5d6037617e4e93dfd6bcb093549
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 3560322 c6a6fbc66944bd05585c1065ab012c93
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 244952 5a5b31ebb9098059e62eb57d209a6846
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 1404266 a3bffb93ec3b0d0d130a6a7e29091a9b
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 3589108 d34afb06a3b21ad7267ef5d31b6ad322
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 932026 1194a002673f8a73cf382c2333c7882b
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 352020 e40c570396514fee0c6eee3920be2607
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 269084 1720388cc8102f33122375034a703a05
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 259018 658248f4329555e81896800709302575
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 2006532 6ad20563d8999759f32445576fd69856
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 3712752 8d48a2797c1f4e6b5dea203698e4b31c
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 180956 88613b463fcdba79539048ce681d4f5e
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 260240 f6fa5402a6fc03aef4b87735030969c5
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 854756 76ad64ab6fe85c5bfc654266101e024a
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 1394436 4930b2b56c642182c8ccd69d5bc53685
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 302106 3672bab4d2c0c037a1d9c0a61fa16139
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 3718584 7b120292ce66e7ea85b3ad623da0bb4e
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 295146 f131ea5cdbab25c2416ff06f6697bc08
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 199248 c683d506deb5fadabea906c9dec36c9f
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 1536614 b5c37ae6f72127bdf6910100edeb06e5
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 907106 6af4614c092e6ccda8580e6a73cb8728
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 284952 b75e2ddab46ddab036ef40b21cec63ee
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 872178 a7739e034d0df26a69e0cb569802d594
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 249022 334ecf73608e20ec6cff79716cf10fde
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 1387990 4935db487abd61e04adb3a846ed7aadc
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 260980 006fdd6b90293fdf1331442ccabde568
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 182822 73c3edfab6b52e772ed36c990c13f210
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 3502906 c19b8875ae915cec344bb74a5e462e44
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksW4AQACgkQNxpp46476aqFDwCfZRJ0eCTLZ7Wvra3eWlaVIVsK
mWIAniapjMkolimxTFStHJO6vlEk4Fnj
=WbVZ
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists