[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080305224606.GB9735@severus.strandboge.com>
Date: Wed, 5 Mar 2008 17:46:06 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-584-1] OpenLDAP vulnerabilities
===========================================================
Ubuntu Security Notice USN-584-1 March 05, 2008
openldap2.2, openldap2.3 vulnerabilities
CVE-2007-6698, CVE-2008-0658
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
slapd 2.2.26-5ubuntu2.6
Ubuntu 6.10:
slapd 2.2.26-5ubuntu3.3
Ubuntu 7.04:
slapd 2.3.30-2ubuntu0.2
Ubuntu 7.10:
slapd 2.3.35-1ubuntu0.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Jonathan Clarke discovered that the OpenLDAP slapd server did not
properly handle modify requests when using the Berkeley DB backend
and the NOOP control was used. An authenticated user with modify
permissions could send a crafted modify request and cause a denial
of service via application crash. Ubuntu 7.10 is not affected by
this issue. (CVE-2007-6698)
Ralf Haferkamp discovered that the OpenLDAP slapd server did not
properly handle modrdn requests when using the Berkeley DB backend
and the NOOP control was used. An authenticated user with modrdn
permissions could send a crafted modrdn request and possibly cause a
denial of service via application crash. (CVE-2007-6698)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.6.diff.gz
Size/MD5: 513643 5ec2226be9a7a7ed4b08c8c129943979
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.6.dsc
Size/MD5: 1020 fa23dada98476932fb1e8c1e6d47a143
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz
Size/MD5: 2626629 afc8700b5738da863b30208e1d3e9de8
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.6_amd64.deb
Size/MD5: 130552 9e5d6589617f2c98632b8c7c5a4f2afc
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.6_amd64.deb
Size/MD5: 165976 68032a07f814ef62556b539b17531161
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.6_amd64.deb
Size/MD5: 961572 6074803431925962b7500f1223ecba0e
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.6_i386.deb
Size/MD5: 118396 b8864fd7cb61e88cf5bd15ed5c87ce38
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.6_i386.deb
Size/MD5: 146100 27c057986763be36fd3b267ba1844bb2
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.6_i386.deb
Size/MD5: 873016 c392b5a10d1973fe2d6c264d496a0424
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.6_powerpc.deb
Size/MD5: 132736 a21157c2d376e3b4cdd7fdb2e3b97a2e
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.6_powerpc.deb
Size/MD5: 157168 a935b8931a79ec692fa3d10357feb811
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.6_powerpc.deb
Size/MD5: 959554 bd801628bccfdc5624d9386d0fb6c2d1
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.6_sparc.deb
Size/MD5: 120696 8efb65196a17efc1b397cadc874eb201
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.6_sparc.deb
Size/MD5: 148180 83781a94080002f4363d2fd557cec845
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.6_sparc.deb
Size/MD5: 903560 0ed257e45f1ae749cb3a0b4591328db4
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu3.3.diff.gz
Size/MD5: 514824 2e3cf6b4dbcfc951d00875df98394a0e
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu3.3.dsc
Size/MD5: 1020 4cb25054b1a571a1c228d06b6fa8872a
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz
Size/MD5: 2626629 afc8700b5738da863b30208e1d3e9de8
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu3.3_amd64.deb
Size/MD5: 130748 cec7e5a6bbd103d02f59b171e6d3cc62
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu3.3_amd64.deb
Size/MD5: 166720 eddb5a050a7637767c89f7f84b686bfc
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu3.3_amd64.deb
Size/MD5: 958496 551d5753a74f213bfc2cfd30849beae5
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu3.3_i386.deb
Size/MD5: 121340 35ae855094d28ba27c6adbd2dbe52125
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu3.3_i386.deb
Size/MD5: 152528 69a0aff9de16526d748439e3c7328ed3
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu3.3_i386.deb
Size/MD5: 900950 a594fcc12375717e00501ea309d19eff
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu3.3_powerpc.deb
Size/MD5: 133704 fe69e3b733b16e50360836197f7cecdc
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu3.3_powerpc.deb
Size/MD5: 158892 7310d1dd87e09123350b9338ebf20216
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu3.3_powerpc.deb
Size/MD5: 966698 424729c177d675a259d311d10aebbb18
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu3.3_sparc.deb
Size/MD5: 121598 f43c977b60ba22fa469141867d6bcfb2
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu3.3_sparc.deb
Size/MD5: 149344 766dab29f1fd99af475b331440c4c4cc
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu3.3_sparc.deb
Size/MD5: 909576 733c2d21d553061af3bfb4d6792a24d1
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.2.diff.gz
Size/MD5: 140603 0f1ab4e378c92fb2e12887ec9046e0cc
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.2.dsc
Size/MD5: 1295 ee74d8bd01147a16a304705477171875
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz
Size/MD5: 2971126 c40bcc23fa65908b8d7a86a4a6061251
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.2_amd64.deb
Size/MD5: 187680 68efce79af7efe0a1d08201060361653
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.2_amd64.deb
Size/MD5: 292344 da795196baacdaac42894aa055629bea
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.2_amd64.deb
Size/MD5: 1228068 36e10789bdb22aa92428ec6d77d297b7
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.2_i386.deb
Size/MD5: 156110 034749aedc798753db0d9541c2c8b74e
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.2_i386.deb
Size/MD5: 267460 f0ffcab028cd2237b6dad5592c454659
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.2_i386.deb
Size/MD5: 1154810 73212a3a90a50d0fa342e886b61993f3
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.2_powerpc.deb
Size/MD5: 203704 6f1d507298df6933ce5ac77fb52ebfb2
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.2_powerpc.deb
Size/MD5: 294438 882c7302c977a3ef131b217ec8851eb7
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.2_powerpc.deb
Size/MD5: 1280484 2b30e19235b699552a37db6aaa40e874
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.2_sparc.deb
Size/MD5: 164430 d2e7b34d207937643dc45a3cdebd7e93
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.2_sparc.deb
Size/MD5: 264284 245d63568559de9d2692b59e45a78462
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.2_sparc.deb
Size/MD5: 1169954 44205386809e93336c4610c43fda8786
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.2.diff.gz
Size/MD5: 151903 2cd8ba0d9c70957b9956e427809578b7
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.2.dsc
Size/MD5: 1305 57e636f0f209825bdab902f327bc5c9a
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35.orig.tar.gz
Size/MD5: 2947629 5096146b7a7eb6ce3b0a97549347b5be
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.2_amd64.deb
Size/MD5: 190006 3163216fad39b4f6f6eeb1d5a7a0dee6
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.2_amd64.deb
Size/MD5: 347150 1ee13cb4baf6332cfc41842c56f24cbc
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.2_amd64.deb
Size/MD5: 1296380 c833d82c46dcf383895269e4382fdb44
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.2_i386.deb
Size/MD5: 155416 a55085d0ddd8c5efcf922cb4654ee432
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.2_i386.deb
Size/MD5: 314722 1e36f20fb6a2c7edf227a32e7c15702d
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.2_i386.deb
Size/MD5: 1216432 1e3cef622a3763e3f52c71cf799caf67
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.2_powerpc.deb
Size/MD5: 205216 25bf9ad7302ac5bfdd7aa17316bbfc7d
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.2_powerpc.deb
Size/MD5: 345862 3891c829c88334a631e29d3ab65f970e
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.2_powerpc.deb
Size/MD5: 1345548 2b31e34aeb9db8cf819e5e9f64fb2499
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.2_sparc.deb
Size/MD5: 166440 9729d0640a24245d806a1eaa4da57e25
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.2_sparc.deb
Size/MD5: 306882 7b8e476dcc15ce5d9d7b36de14617559
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.2_sparc.deb
Size/MD5: 1229006 496bc48c65314709cb2bb0f2570b7881
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists