[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080801152701.GF21348@outflux.net>
Date: Fri, 1 Aug 2008 08:27:01 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-634-1] OpenLDAP vulnerability
===========================================================
Ubuntu Security Notice USN-634-1 August 01, 2008
openldap2.2, openldap2.3 vulnerability
CVE-2008-2952
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
slapd 2.2.26-5ubuntu2.8
Ubuntu 7.04:
slapd 2.3.30-2ubuntu0.3
Ubuntu 7.10:
slapd 2.3.35-1ubuntu0.3
Ubuntu 8.04 LTS:
slapd 2.4.9-0ubuntu0.8.04.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Cameron Hotchkies discovered that OpenLDAP did not correctly handle
certain ASN.1 BER data. A remote attacker could send a specially crafted
packet and crash slapd, leading to a denial of service.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.8.diff.gz
Size/MD5: 514393 4f9e265da3b3862538e819f77e2e3586
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.8.dsc
Size/MD5: 1058 b22c78f0d48cc36e948b54e3af20edfd
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz
Size/MD5: 2626629 afc8700b5738da863b30208e1d3e9de8
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_amd64.deb
Size/MD5: 130764 97be6915cd08b18f1cebd0278fdb6cbd
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_amd64.deb
Size/MD5: 166234 f033393ec3c64058c9a330f3ff8f3ffd
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_amd64.deb
Size/MD5: 961898 d2a6a9b40ae45ee16f07081caf554e1f
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_i386.deb
Size/MD5: 118560 6e725d3528b0fbf7603ffaca188fd058
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_i386.deb
Size/MD5: 146330 c385cbad49d21de849f6deb69a3f24df
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_i386.deb
Size/MD5: 873280 e2c56f6d1a5a372b90c416d4270a9136
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_powerpc.deb
Size/MD5: 132924 3f6561c503b4aba5bdd7380ca16a9233
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_powerpc.deb
Size/MD5: 157382 6b375c5e1da604ff063770a1bacdf9ae
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_powerpc.deb
Size/MD5: 959922 18f40de968f784c06595986dc90ac2ba
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_sparc.deb
Size/MD5: 120868 e36bb816e65f673852040cbdc9e99fb8
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_sparc.deb
Size/MD5: 148406 5ee83d9e8ab2b6a7e43d4486ef4495fd
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_sparc.deb
Size/MD5: 903834 7fd3a71e6dfdfd629d15f1484eface61
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.3.diff.gz
Size/MD5: 139053 aaea5b917bae9e40a49389eb18ee6b0b
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.3.dsc
Size/MD5: 1333 4bf113a4b679696671b740e0602c0d0c
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz
Size/MD5: 2971126 c40bcc23fa65908b8d7a86a4a6061251
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_amd64.deb
Size/MD5: 187762 3daa694023d35e8d1d5906531f77184e
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_amd64.deb
Size/MD5: 292432 5e91f231274471465056dab7ac915579
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_amd64.deb
Size/MD5: 1228150 2f5c3cff26ded73113db5c3ae9da2c81
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_i386.deb
Size/MD5: 156182 d70e186bfda981a71eee3c23b97c92c8
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_i386.deb
Size/MD5: 267618 9d188f962935c72538564fe57dded98f
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_i386.deb
Size/MD5: 1154914 83d7c5c110c5341d3d611dc9fad7cd47
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_powerpc.deb
Size/MD5: 203784 f2bc7da688b35227c7f3f8fa171fc504
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_powerpc.deb
Size/MD5: 294528 e22c51734656e016714aa23ac0822257
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_powerpc.deb
Size/MD5: 1280558 b6ada4c71ffb98a27638af78f2aa945f
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_sparc.deb
Size/MD5: 164516 441e58de64bed972d60fbba28e855d7b
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_sparc.deb
Size/MD5: 264402 1f166e5072bfcf4059caf05e783e5fb4
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_sparc.deb
Size/MD5: 1170022 c140469dc080ee8278d3ecdc235831d6
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.3.diff.gz
Size/MD5: 151991 51ff8eebcede1f6fad3e31a2614e79d5
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.3.dsc
Size/MD5: 1343 9b21ec600b40a024bb1f7de69a9e95fb
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35.orig.tar.gz
Size/MD5: 2947629 5096146b7a7eb6ce3b0a97549347b5be
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_amd64.deb
Size/MD5: 190088 5325d5369407eb873c98ee7f41615fde
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_amd64.deb
Size/MD5: 347238 74514bf63a843d67b3d0910e75709490
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_amd64.deb
Size/MD5: 1296502 6a572fccaab720d0e48c047e622dbb54
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_i386.deb
Size/MD5: 155520 59776c8fa4c5860f7f6156d8b4914c5f
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_i386.deb
Size/MD5: 314742 28a30e5baa754d2ae38af9b4ffbce9de
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_i386.deb
Size/MD5: 1216458 2c90d198d1d43e88d7588abe53293c71
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_lpia.deb
Size/MD5: 154744 8ad5d3c9c3560d8fea8fae38d8d75767
http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_lpia.deb
Size/MD5: 307278 18d45b49ce6400456015193e6cf600fb
http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_lpia.deb
Size/MD5: 1211812 783b0db2a54143566988d54cf1a4dcbe
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_powerpc.deb
Size/MD5: 205302 c623bf368b4109c62e90e373b9afe23f
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_powerpc.deb
Size/MD5: 345962 f8c94186487abe14abd758cb55fec8b1
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_powerpc.deb
Size/MD5: 1345648 cd8ea44a87c657b0ee27e182ff60fba2
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_sparc.deb
Size/MD5: 166528 8bece260d735957a9aae4974419a8e46
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_sparc.deb
Size/MD5: 306968 e7cdab9c3df1f7356132f47715e922ed
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_sparc.deb
Size/MD5: 1229088 f513afe9b2301f2d6832b1ab1c890581
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9-0ubuntu0.8.04.1.diff.gz
Size/MD5: 144671 58f945638d8a393778cb4df222717edb
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9-0ubuntu0.8.04.1.dsc
Size/MD5: 1547 c6a52c38b25a2f9d5c601c16f178a049
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9.orig.tar.gz
Size/MD5: 3694611 3c0b5ae3d45f5675e67aaf81ce7decc9
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_amd64.deb
Size/MD5: 266934 6e5418f9691e9d706dca198030a16cbe
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_amd64.deb
Size/MD5: 292184 86aa494fc2b80820183d32b044d16b5f
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_amd64.deb
Size/MD5: 197958 090e06973eba26a1cff8e60a7f42a16c
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_amd64.deb
Size/MD5: 868394 a5d7acae075d2c0826e0413272d018ad
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_amd64.deb
Size/MD5: 3614964 3c49f3a956ad5db0ccf792d9b8d36dd1
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_amd64.deb
Size/MD5: 1448036 808090c707d68dc9d9901a1c980b3f21
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_i386.deb
Size/MD5: 245424 9219d82631dbe22fa6145206cbe85a98
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_i386.deb
Size/MD5: 282694 39a3b506f3ee6d8c097dd7d56dcadec3
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_i386.deb
Size/MD5: 182138 cfc345ff59b93219e75ab3eb90b959e7
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_i386.deb
Size/MD5: 777646 4ce598932a7b6e36fee72664d31b77d3
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_i386.deb
Size/MD5: 3533272 002c831a1311521e015324200bb25c88
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_i386.deb
Size/MD5: 1354600 ebfd92f0ebc07663e5bdad585efe8259
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_lpia.deb
Size/MD5: 246620 c573b1d987fd0b0f1d6e78b3fdd55e2d
http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_lpia.deb
Size/MD5: 285252 21e10a90681897f42e73c2d75891a829
http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_lpia.deb
Size/MD5: 177840 beaddaca16ab416eb8b7213c8f7f21db
http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_lpia.deb
Size/MD5: 779066 8ad40229d8403ab67b89fffa5a5838d4
http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_lpia.deb
Size/MD5: 3565372 471469186a53293b1ca37ae98214182d
http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_lpia.deb
Size/MD5: 1348534 7db3b6e67624f788898871bcdf4748ed
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_powerpc.deb
Size/MD5: 286564 9fdfd981184b736acf1ce3f23546fa8d
http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_powerpc.deb
Size/MD5: 288262 2b41a700b9c68003a64552d5878db89e
http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_powerpc.deb
Size/MD5: 192710 6f49c29d5c5a0d9057bceb5e3ae56096
http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_powerpc.deb
Size/MD5: 897520 ec87b7bb590ea7960f11d40820c10c4e
http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_powerpc.deb
Size/MD5: 3670418 eba5c8dae9d82d03e92dbc84580f06a2
http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_powerpc.deb
Size/MD5: 1494264 8f0cf97e665d58b769f83d542c56acf4
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_sparc.deb
Size/MD5: 248502 d4fbd44307a9920c36d2a6f9df7c1bcf
http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_sparc.deb
Size/MD5: 259242 a6743c6dd9c4409a13081c5ee035ddfd
http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_sparc.deb
Size/MD5: 178744 c92678408505baa4a7746140905a66b7
http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_sparc.deb
Size/MD5: 767462 b9432320d29b5c5d1eb6b1e7541561c8
http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_sparc.deb
Size/MD5: 3484818 ff70b240ab888a27628e3b3c3812e335
http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_sparc.deb
Size/MD5: 1349498 66253c6ffd2cb831c24b9713c3edcc87
Download attachment "signature.asc" of type "application/pgp-signature" (228 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists