lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87ocdq14yb.fsf@mid.deneb.enyo.de>
Date: Thu, 29 Jul 2010 21:08:28 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA 2077-1] New openldap packages fix
	potential code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2077-1                  security@...ian.org
http://www.debian.org/security/                           Florian Weimer
July 29, 2010                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : openldap
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2010-0211 CVE-2010-0212

Two remote vulnerabilities have been discovered in OpenLDAP.  The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2010-0211

    The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does
    not check the return value of a call to the smr_normalize
    function, which allows remote attackers to cause a denial of
    service (segmentation fault) and possibly execute arbitrary code
    via a modrdn call with an RDN string containing invalid UTF-8
    sequences.

CVE-2010-0212

    OpenLDAP 2.4.22 allows remote attackers to cause a denial of
    service (crash) via a modrdn call with a zero-length RDN
    destination string.

For the stable distribution (lenny), this problem has been fixed in
version 2.4.11-1+lenny2.  (The missing update for the mips
architecture will be provided soon.)

For the unstable distribution (sid), this problem has been fixed in
version 2.4.23-1.

We recommend that you upgrade your openldap packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/o/openldap/openldap_2.4.11-1+lenny2.dsc
    Size/MD5 checksum:     1831 afe836285d70b3d51b50d06658b7cc22
  http://security.debian.org/pool/updates/main/o/openldap/openldap_2.4.11.orig.tar.gz
    Size/MD5 checksum:  4193523 d4e8669e2c9b8d981e371e97e3cf92d9
  http://security.debian.org/pool/updates/main/o/openldap/openldap_2.4.11-1+lenny2.diff.gz
    Size/MD5 checksum:   149276 e9668ba9648e3e1f306a97c6cc77d5a3

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny2_alpha.deb
    Size/MD5 checksum:  1018392 d18b30dd684b7582ba3f5fda7c0ec52d
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny2_alpha.deb
    Size/MD5 checksum:   284794 3d3094d356fa97396dd53701ff8177c1
  http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny2_alpha.deb
    Size/MD5 checksum:  3625184 8c651f17c240c4222c26783e1333d7b4
  http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny2_alpha.deb
    Size/MD5 checksum:   281172 d91f060a2e0e9b3f7651913228e33a45
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny2_alpha.deb
    Size/MD5 checksum:   206338 7a268eec31460d56dfa4e51000a0f20e
  http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny2_alpha.deb
    Size/MD5 checksum:  1534546 70ae45ec33481afbf305544bf9d70cb0

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny2_amd64.deb
    Size/MD5 checksum:   205426 c7fecb2287a970a5b06e1dd053413cf6
  http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny2_amd64.deb
    Size/MD5 checksum:  3665336 a25a01da15aed085d7476043a69c9f43
  http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny2_amd64.deb
    Size/MD5 checksum:   266508 be5e6b39fb89340139dbde19f09a6777
  http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny2_amd64.deb
    Size/MD5 checksum:   972300 a73c35b4c7f48427a8fd5fe971c1aac4
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny2_amd64.deb
    Size/MD5 checksum:   299624 b132ed70255863a64e1eb94a5700dbf0
  http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny2_amd64.deb
    Size/MD5 checksum:  1509162 0e9758a242eb928e9c5287d2801f280b

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny2_arm.deb
    Size/MD5 checksum:  1413404 2ff76be2a9be2109b995d2fbb89ba776
  http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny2_arm.deb
    Size/MD5 checksum:   248960 042b8f1642b8ea512ba4abdf8a60d2b3
  http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny2_arm.deb
    Size/MD5 checksum:  3576526 6c38ec7d7a9e3a35e043cdb4276b837c
  http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny2_arm.deb
    Size/MD5 checksum:   869398 5f75a2717d71579905ba1058d530ede0
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny2_arm.deb
    Size/MD5 checksum:   179976 b69cc3f9fd1f4f09eb015e28b60d3b3a
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny2_arm.deb
    Size/MD5 checksum:   279998 0534bb7fb3fc4eaf311bf846dfb3c800

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny2_armel.deb
    Size/MD5 checksum:   244982 09dc4f6dc96aab40b399b52cdd440f49
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny2_armel.deb
    Size/MD5 checksum:   281290 ed72c73b8018e02b579af7fc8652ad5a
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny2_armel.deb
    Size/MD5 checksum:   179660 3ca1f0b69016395df01441d2be719acb
  http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny2_armel.deb
    Size/MD5 checksum:   863030 4382d905de1db012e3197c1b4cbd53f9
  http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny2_armel.deb
    Size/MD5 checksum:  3583978 00372759861243bb13585f34bf93be4b
  http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny2_armel.deb
    Size/MD5 checksum:  1407120 b0fa8a6ea8d9b2305967c1f6486fa901

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny2_hppa.deb
    Size/MD5 checksum:   998740 a675f6577888e4518b38fe32ed9c0954
  http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny2_hppa.deb
    Size/MD5 checksum:  1532150 1eaf00efdb3f58b494466c6af919d27b
  http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny2_hppa.deb
    Size/MD5 checksum:   264082 b88df4740a44865d431b292f0e029475
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny2_hppa.deb
    Size/MD5 checksum:   284888 7ce39229438af13c8220edece4e9c856
  http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny2_hppa.deb
    Size/MD5 checksum:  3621796 d4307c86696c24a200ac12a310885289
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny2_hppa.deb
    Size/MD5 checksum:   201312 e826b1ca00ff0f50fb9472d5f28551f6

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny2_i386.deb
    Size/MD5 checksum:  3562530 a1866b654c74dadd577d7a8322285553
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny2_i386.deb
    Size/MD5 checksum:   189038 039bf2208067cb5899a6c9ae6364a74d
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny2_i386.deb
    Size/MD5 checksum:   286894 0acddd599377272201cd6788a0f19bdc
  http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny2_i386.deb
    Size/MD5 checksum:   244480 d2ca1f47200257729bfde83e67526527
  http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny2_i386.deb
    Size/MD5 checksum:  1397792 3740fe46b91fa94690c5cb081b286041
  http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny2_i386.deb
    Size/MD5 checksum:   870436 f92b3b1928099d93ae35a98e9a75ac65

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny2_ia64.deb
    Size/MD5 checksum:  1038332 2a23da950b3354b1027cb991ba2e9bd1
  http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny2_ia64.deb
    Size/MD5 checksum:  2016204 54caa4d0966584b247bc4cffdac00d94
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny2_ia64.deb
    Size/MD5 checksum:   269460 89ba522a4c15ac0dacb6537edf468bb9
  http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny2_ia64.deb
    Size/MD5 checksum:   352176 383c904bee22aee1d94d238de24768e0
  http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny2_ia64.deb
    Size/MD5 checksum:  3590732 49ac7b30b339381b7d01f9d86ac7e54f
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny2_ia64.deb
    Size/MD5 checksum:   258836 36313ee33851fcc77c9a49bb340f30b2

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny2_mipsel.deb
    Size/MD5 checksum:  3641930 05338b1bcd1ae4a5d921023ce12baa24
  http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny2_mipsel.deb
    Size/MD5 checksum:  1388338 045112a49ef59f53286e6ff8dcf56f1c
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny2_mipsel.deb
    Size/MD5 checksum:   181222 e2fc86fb9b0e1ca335aa92bdd9ee8088
  http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny2_mipsel.deb
    Size/MD5 checksum:   261520 f4317c50476ed380b91546a81753483f
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny2_mipsel.deb
    Size/MD5 checksum:   296334 5c106ddb8aab107366077d8bf6c013e4
  http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny2_mipsel.deb
    Size/MD5 checksum:   846022 87238f27ad1428d0ae2b2555cc5831c7

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny2_powerpc.deb
    Size/MD5 checksum:   295538 7193f88b4fc784f1bc49e16db44bc451
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny2_powerpc.deb
    Size/MD5 checksum:   199352 7cdb792324d09442a7029f768300a830
  http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny2_powerpc.deb
    Size/MD5 checksum:  1558086 d65f456faf9ac835725a86c3a0c13122
  http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny2_powerpc.deb
    Size/MD5 checksum:   981510 805f717025ed2e56d241e98987173012
  http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny2_powerpc.deb
    Size/MD5 checksum:  3721030 85d95b637bcd3de3527cb11554f54d8e
  http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny2_powerpc.deb
    Size/MD5 checksum:   284672 d49b7a5067b6671933194b849f2f5419

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny2_s390.deb
    Size/MD5 checksum:  1045564 a9c32d3b14f6969228def0dab1f7209c
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny2_s390.deb
    Size/MD5 checksum:   298596 07c975378ad71d9d83ba951f71dc4140
  http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny2_s390.deb
    Size/MD5 checksum:   266258 d6bfe59a7514b370eea5380d30e4d5b2
  http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny2_s390.deb
    Size/MD5 checksum:  3700520 c032e0d5e2a209597a7c40e3c6aedfb0
  http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny2_s390.deb
    Size/MD5 checksum:  1497898 6b20aec732079628189c126595676d80
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny2_s390.deb
    Size/MD5 checksum:   204656 ded26b56657fd5db7686c8163aa9ac11

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny2_sparc.deb
    Size/MD5 checksum:  1394762 207402a46ff26af86197ea981ea25ab8
  http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny2_sparc.deb
    Size/MD5 checksum:   248828 013b1d3f070546d2524cbe4d49370810
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny2_sparc.deb
    Size/MD5 checksum:   182914 4e271359df09ba43102089da55778d9a
  http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny2_sparc.deb
    Size/MD5 checksum:   858646 e5e75c350ab491ad5a90413bc1de84df
  http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny2_sparc.deb
    Size/MD5 checksum:   261014 37c7cc86a4ae1e84ad9e42b8a302a9e8
  http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny2_sparc.deb
    Size/MD5 checksum:  3501616 2b2fc3cb381ccf9b10901e90999a7403


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJMUdPkAAoJEL97/wQC1SS+UJAH/0ZlUxtpP8xG+zJ/ykQ3qN//
JW0tZIvA+16PMwLbqJ6fb/DFOjxYyYeDaS680X4VaSZLO1SCFcCwnsDiJM7sKd6X
JbnzgaJcIUmK0qlLuB1oEYsWlqY1yYN5fetxhcZNfrXAhP+NbuACcs/X7Gu94uV4
hGioiG4j2dIe4hJS3JO4tMbigmzg4rlAW4PDRtWfAY5JVMzHP3wN+iOPBynWTgGR
Z1hZntJhZw/nRpfSFJBU2EhkMuhkd6aLHtZppwJj1h5Q2slkVt5/a1dyqpplXc0T
014EEKlxSB9kgVILF7gs5RTJrdOYRtV5VashW05QMBNhOL0/GtlnFJxVcZjz/aA=
=1+N0
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ