lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060627105358.GC5171@piware.de>
Date: Tue Jun 27 11:53:32 2006
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-305-1] OpenLDAP vulnerability

=========================================================== 
Ubuntu Security Notice USN-305-1              June 27, 2006
openldap2, openldap2.2 vulnerability
CVE-2006-2754
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
  slapd                          2.1.30-3ubuntu3.2

Ubuntu 5.10:
  slapd                          2.2.26-3ubuntu0.1

Ubuntu 6.06 LTS:
  slapd                          2.2.26-5ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

When processing overly long host names in OpenLDAP's slurpd replication
server, a buffer overflow caused slurpd to crash.

If an attacker manages to inject a specially crafted host name into
slurpd, this might also be exploited to execute arbitrary code with
slurpd's privileges; however, since slurpd is usually set up to
replicate only trusted machines, this should not be exploitable in
normal cases.


Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30-3ubuntu3.2.diff.gz
      Size/MD5:   117693 811feb51c50318d90b2f8d3955bd2cd4
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30-3ubuntu3.2.dsc
      Size/MD5:      988 772bf522a7b5211787dc7272ea0b71cb
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30.orig.tar.gz
      Size/MD5:  2044673 e2ae8148c4bed07d7a70edd930bdc403

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libslapd2-dev_2.1.30-3ubuntu3.2_all.deb
      Size/MD5:    72546 3fe7d6a3e99f1d49d049127af41a8334

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-3ubuntu3.2_amd64.deb
      Size/MD5:   126502 b78a3e1a2d62ba78ca38842ba9c7b05a
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-3ubuntu3.2_amd64.deb
      Size/MD5:   361334 2d589dc600e42bc19024170fcb728d39
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-3ubuntu3.2_amd64.deb
      Size/MD5:   309204 c13675910f7c21bb3e723592c6e495f2
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-3ubuntu3.2_amd64.deb
      Size/MD5:  1088128 a3b2230434033fd0070d643b3c09c1d4

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-3ubuntu3.2_i386.deb
      Size/MD5:   110870 7cbb5b6f1ba2118946c6811076b701fa
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-3ubuntu3.2_i386.deb
      Size/MD5:   318170 8dab1fcba483d48cac5bcda3b0c4a58c
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-3ubuntu3.2_i386.deb
      Size/MD5:   284732 301a45c6f09a37332ea5a7b184e8c176
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-3ubuntu3.2_i386.deb
      Size/MD5:   979438 ff72cd74acd311e16307286b6c598130

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-3ubuntu3.2_powerpc.deb
      Size/MD5:   129774 2b223fe63713e7f4cfbdb434b251d69e
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-3ubuntu3.2_powerpc.deb
      Size/MD5:   373308 bb5106479b3f3928f8eaf247a2c9af01
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-3ubuntu3.2_powerpc.deb
      Size/MD5:   302964 73c3c1603cd8a00e4a49f6486676ecb6
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-3ubuntu3.2_powerpc.deb
      Size/MD5:  1058408 e483f9a6ecbee4aee2dd196b399e15ed

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-3ubuntu0.1.diff.gz
      Size/MD5:   495731 9e5ff179d3930bba207a013a9361f5b0
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-3ubuntu0.1.dsc
      Size/MD5:     1020 23742091bec8567bf0dfc5326657fb12
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz
      Size/MD5:  2626629 afc8700b5738da863b30208e1d3e9de8

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-3ubuntu0.1_amd64.deb
      Size/MD5:   129756 57ed4fbea2a6c2b0de87878fc81417da
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-3ubuntu0.1_amd64.deb
      Size/MD5:   164128 6e18cf1741f0b0dd7ab88279b052a1a3
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-3ubuntu0.1_amd64.deb
      Size/MD5:   954370 635ae92d2157d53b2957b062e3dc5661

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-3ubuntu0.1_i386.deb
      Size/MD5:   118146 e50ccd57a1f71e904193040b47d5d59c
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-3ubuntu0.1_i386.deb
      Size/MD5:   144742 162e0c8d96ab25641f1aa36e25ddd1d1
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-3ubuntu0.1_i386.deb
      Size/MD5:   865922 e848677ebffa8f749d25d2d809e6f32c

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-3ubuntu0.1_powerpc.deb
      Size/MD5:   132322 5af4200f87b773f803585472cdb02d0b
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-3ubuntu0.1_powerpc.deb
      Size/MD5:   155466 2b54e0326fa70088eea062590975ec36
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-3ubuntu0.1_powerpc.deb
      Size/MD5:   954736 44a826baae1253ecb074f415e6bf7d38

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-3ubuntu0.1_sparc.deb
      Size/MD5:   121364 7345da5217fbfb8761347d3eb03d7f5e
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-3ubuntu0.1_sparc.deb
      Size/MD5:   147560 cbb0badc7b85347112c19116ead6d3f2
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-3ubuntu0.1_sparc.deb
      Size/MD5:   899418 14cce6ef47a4f84c1936b0a3704d81e1

Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.1.diff.gz
      Size/MD5:   514340 41d918c94861a09c91c720e58a8746b1
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.1.dsc
      Size/MD5:     1022 deab91ea4c8e19422e9cc4f1f32b49e3
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz
      Size/MD5:  2626629 afc8700b5738da863b30208e1d3e9de8

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.1_amd64.deb
      Size/MD5:   130156 2bc0b9509a895aea193721624feb249b
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.1_amd64.deb
      Size/MD5:   165566 ef6c9d06239fddf2b3412975c60d7fe4
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.1_amd64.deb
      Size/MD5:   960764 6a2fd21f5e54e517f08196c859b186e2

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.1_i386.deb
      Size/MD5:   118086 ffa215efabd92e67fe620a6214b78d3c
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.1_i386.deb
      Size/MD5:   145656 f2b0606f73d4829949b2c06abbb0ec10
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.1_i386.deb
      Size/MD5:   872454 18a48a067b86be5154966cc787d49195

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.1_powerpc.deb
      Size/MD5:   132332 e5da252ccd064af45df00a604b9921ca
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.1_powerpc.deb
      Size/MD5:   156718 fda4dd9465fd6796eda8bef9379db677
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.1_powerpc.deb
      Size/MD5:   958870 728c6cd9b0dd4a74e48dd6734e058675

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.1_sparc.deb
      Size/MD5:   120398 2d899349a89ccaea09e074828249ba57
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.1_sparc.deb
      Size/MD5:   147776 4c64e80390003866ef720c1276bc1f82
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.1_sparc.deb
      Size/MD5:   902976 dcecebf79109357fdc8278b89d3f8bd2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/a8726687/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ