lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080801152701.GF21348@outflux.net>
Date: Fri, 1 Aug 2008 08:27:01 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-634-1] OpenLDAP vulnerability

=========================================================== 
Ubuntu Security Notice USN-634-1            August 01, 2008
openldap2.2, openldap2.3 vulnerability
CVE-2008-2952
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  slapd                           2.2.26-5ubuntu2.8

Ubuntu 7.04:
  slapd                           2.3.30-2ubuntu0.3

Ubuntu 7.10:
  slapd                           2.3.35-1ubuntu0.3

Ubuntu 8.04 LTS:
  slapd                           2.4.9-0ubuntu0.8.04.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Cameron Hotchkies discovered that OpenLDAP did not correctly handle
certain ASN.1 BER data.  A remote attacker could send a specially crafted
packet and crash slapd, leading to a denial of service.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.8.diff.gz
      Size/MD5:   514393 4f9e265da3b3862538e819f77e2e3586
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.8.dsc
      Size/MD5:     1058 b22c78f0d48cc36e948b54e3af20edfd
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz
      Size/MD5:  2626629 afc8700b5738da863b30208e1d3e9de8

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_amd64.deb
      Size/MD5:   130764 97be6915cd08b18f1cebd0278fdb6cbd
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_amd64.deb
      Size/MD5:   166234 f033393ec3c64058c9a330f3ff8f3ffd
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_amd64.deb
      Size/MD5:   961898 d2a6a9b40ae45ee16f07081caf554e1f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_i386.deb
      Size/MD5:   118560 6e725d3528b0fbf7603ffaca188fd058
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_i386.deb
      Size/MD5:   146330 c385cbad49d21de849f6deb69a3f24df
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_i386.deb
      Size/MD5:   873280 e2c56f6d1a5a372b90c416d4270a9136

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_powerpc.deb
      Size/MD5:   132924 3f6561c503b4aba5bdd7380ca16a9233
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_powerpc.deb
      Size/MD5:   157382 6b375c5e1da604ff063770a1bacdf9ae
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_powerpc.deb
      Size/MD5:   959922 18f40de968f784c06595986dc90ac2ba

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_sparc.deb
      Size/MD5:   120868 e36bb816e65f673852040cbdc9e99fb8
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_sparc.deb
      Size/MD5:   148406 5ee83d9e8ab2b6a7e43d4486ef4495fd
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_sparc.deb
      Size/MD5:   903834 7fd3a71e6dfdfd629d15f1484eface61

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.3.diff.gz
      Size/MD5:   139053 aaea5b917bae9e40a49389eb18ee6b0b
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.3.dsc
      Size/MD5:     1333 4bf113a4b679696671b740e0602c0d0c
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz
      Size/MD5:  2971126 c40bcc23fa65908b8d7a86a4a6061251

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_amd64.deb
      Size/MD5:   187762 3daa694023d35e8d1d5906531f77184e
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_amd64.deb
      Size/MD5:   292432 5e91f231274471465056dab7ac915579
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_amd64.deb
      Size/MD5:  1228150 2f5c3cff26ded73113db5c3ae9da2c81

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_i386.deb
      Size/MD5:   156182 d70e186bfda981a71eee3c23b97c92c8
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_i386.deb
      Size/MD5:   267618 9d188f962935c72538564fe57dded98f
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_i386.deb
      Size/MD5:  1154914 83d7c5c110c5341d3d611dc9fad7cd47

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_powerpc.deb
      Size/MD5:   203784 f2bc7da688b35227c7f3f8fa171fc504
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_powerpc.deb
      Size/MD5:   294528 e22c51734656e016714aa23ac0822257
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_powerpc.deb
      Size/MD5:  1280558 b6ada4c71ffb98a27638af78f2aa945f

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_sparc.deb
      Size/MD5:   164516 441e58de64bed972d60fbba28e855d7b
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_sparc.deb
      Size/MD5:   264402 1f166e5072bfcf4059caf05e783e5fb4
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_sparc.deb
      Size/MD5:  1170022 c140469dc080ee8278d3ecdc235831d6

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.3.diff.gz
      Size/MD5:   151991 51ff8eebcede1f6fad3e31a2614e79d5
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.3.dsc
      Size/MD5:     1343 9b21ec600b40a024bb1f7de69a9e95fb
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35.orig.tar.gz
      Size/MD5:  2947629 5096146b7a7eb6ce3b0a97549347b5be

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_amd64.deb
      Size/MD5:   190088 5325d5369407eb873c98ee7f41615fde
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_amd64.deb
      Size/MD5:   347238 74514bf63a843d67b3d0910e75709490
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_amd64.deb
      Size/MD5:  1296502 6a572fccaab720d0e48c047e622dbb54

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_i386.deb
      Size/MD5:   155520 59776c8fa4c5860f7f6156d8b4914c5f
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_i386.deb
      Size/MD5:   314742 28a30e5baa754d2ae38af9b4ffbce9de
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_i386.deb
      Size/MD5:  1216458 2c90d198d1d43e88d7588abe53293c71

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_lpia.deb
      Size/MD5:   154744 8ad5d3c9c3560d8fea8fae38d8d75767
    http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_lpia.deb
      Size/MD5:   307278 18d45b49ce6400456015193e6cf600fb
    http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_lpia.deb
      Size/MD5:  1211812 783b0db2a54143566988d54cf1a4dcbe

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_powerpc.deb
      Size/MD5:   205302 c623bf368b4109c62e90e373b9afe23f
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_powerpc.deb
      Size/MD5:   345962 f8c94186487abe14abd758cb55fec8b1
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_powerpc.deb
      Size/MD5:  1345648 cd8ea44a87c657b0ee27e182ff60fba2

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_sparc.deb
      Size/MD5:   166528 8bece260d735957a9aae4974419a8e46
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_sparc.deb
      Size/MD5:   306968 e7cdab9c3df1f7356132f47715e922ed
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_sparc.deb
      Size/MD5:  1229088 f513afe9b2301f2d6832b1ab1c890581

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9-0ubuntu0.8.04.1.diff.gz
      Size/MD5:   144671 58f945638d8a393778cb4df222717edb
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9-0ubuntu0.8.04.1.dsc
      Size/MD5:     1547 c6a52c38b25a2f9d5c601c16f178a049
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9.orig.tar.gz
      Size/MD5:  3694611 3c0b5ae3d45f5675e67aaf81ce7decc9

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_amd64.deb
      Size/MD5:   266934 6e5418f9691e9d706dca198030a16cbe
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_amd64.deb
      Size/MD5:   292184 86aa494fc2b80820183d32b044d16b5f
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_amd64.deb
      Size/MD5:   197958 090e06973eba26a1cff8e60a7f42a16c
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_amd64.deb
      Size/MD5:   868394 a5d7acae075d2c0826e0413272d018ad
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_amd64.deb
      Size/MD5:  3614964 3c49f3a956ad5db0ccf792d9b8d36dd1
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_amd64.deb
      Size/MD5:  1448036 808090c707d68dc9d9901a1c980b3f21

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_i386.deb
      Size/MD5:   245424 9219d82631dbe22fa6145206cbe85a98
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_i386.deb
      Size/MD5:   282694 39a3b506f3ee6d8c097dd7d56dcadec3
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_i386.deb
      Size/MD5:   182138 cfc345ff59b93219e75ab3eb90b959e7
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_i386.deb
      Size/MD5:   777646 4ce598932a7b6e36fee72664d31b77d3
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_i386.deb
      Size/MD5:  3533272 002c831a1311521e015324200bb25c88
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_i386.deb
      Size/MD5:  1354600 ebfd92f0ebc07663e5bdad585efe8259

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_lpia.deb
      Size/MD5:   246620 c573b1d987fd0b0f1d6e78b3fdd55e2d
    http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_lpia.deb
      Size/MD5:   285252 21e10a90681897f42e73c2d75891a829
    http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_lpia.deb
      Size/MD5:   177840 beaddaca16ab416eb8b7213c8f7f21db
    http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_lpia.deb
      Size/MD5:   779066 8ad40229d8403ab67b89fffa5a5838d4
    http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_lpia.deb
      Size/MD5:  3565372 471469186a53293b1ca37ae98214182d
    http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_lpia.deb
      Size/MD5:  1348534 7db3b6e67624f788898871bcdf4748ed

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_powerpc.deb
      Size/MD5:   286564 9fdfd981184b736acf1ce3f23546fa8d
    http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_powerpc.deb
      Size/MD5:   288262 2b41a700b9c68003a64552d5878db89e
    http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_powerpc.deb
      Size/MD5:   192710 6f49c29d5c5a0d9057bceb5e3ae56096
    http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_powerpc.deb
      Size/MD5:   897520 ec87b7bb590ea7960f11d40820c10c4e
    http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_powerpc.deb
      Size/MD5:  3670418 eba5c8dae9d82d03e92dbc84580f06a2
    http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_powerpc.deb
      Size/MD5:  1494264 8f0cf97e665d58b769f83d542c56acf4

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_sparc.deb
      Size/MD5:   248502 d4fbd44307a9920c36d2a6f9df7c1bcf
    http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_sparc.deb
      Size/MD5:   259242 a6743c6dd9c4409a13081c5ee035ddfd
    http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_sparc.deb
      Size/MD5:   178744 c92678408505baa4a7746140905a66b7
    http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_sparc.deb
      Size/MD5:   767462 b9432320d29b5c5d1eb6b1e7541561c8
    http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_sparc.deb
      Size/MD5:  3484818 ff70b240ab888a27628e3b3c3812e335
    http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_sparc.deb
      Size/MD5:  1349498 66253c6ffd2cb831c24b9713c3edcc87


Download attachment "signature.asc" of type "application/pgp-signature" (228 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ