lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Q4vlc-0004Wi-Ay@titan.mandriva.com>
Date: Wed, 30 Mar 2011 15:49:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2011:056 ] openldap

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:056
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : openldap
 Date    : March 30, 2011
 Affected: 2010.0, 2010.1
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been identified and fixed in openldap:
 
 chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24,
 when a master-slave configuration with a chain overlay and
 ppolicy_forward_updates (aka authentication-failure forwarding) is
 used, allows remote authenticated users to bypass external-program
 authentication by sending an invalid password to a slave server
 (CVE-2011-1024).
 
 bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require
 authentication for the root Distinguished Name (DN), which allows
 remote attackers to bypass intended access restrictions via an
 arbitrary password (CVE-2011-1025).
 
 modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote
 attackers to cause a denial of service (daemon crash) via a relative
 Distinguished Name (DN) modification request (aka MODRDN operation)
 that contains an empty value for the OldDN field (CVE-2011-1081).
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1024
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1025
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1081
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.0:
 a5aa1bbb1e057c06c7a579926d166c96  2010.0/i586/libldap2.4_2-2.4.19-2.2mdv2010.0.i586.rpm
 7b70f9724e632ac01ae9950ba403ee6e  2010.0/i586/libldap2.4_2-devel-2.4.19-2.2mdv2010.0.i586.rpm
 414f0727313a619313742ad711204f5e  2010.0/i586/libldap2.4_2-static-devel-2.4.19-2.2mdv2010.0.i586.rpm
 2706caae262f70ee3c508a7659b2046d  2010.0/i586/openldap-2.4.19-2.2mdv2010.0.i586.rpm
 c3e50220a700e493e25248b561e4b8e4  2010.0/i586/openldap-clients-2.4.19-2.2mdv2010.0.i586.rpm
 69022a5387c098694997e349877edcf2  2010.0/i586/openldap-doc-2.4.19-2.2mdv2010.0.i586.rpm
 b7242509b552632e63a5dbff88f5c695  2010.0/i586/openldap-servers-2.4.19-2.2mdv2010.0.i586.rpm
 ecfc24a4b48b71142bfcb56618068938  2010.0/i586/openldap-testprogs-2.4.19-2.2mdv2010.0.i586.rpm
 2ed3d32741f610ac8dfac3af4ae0aa9f  2010.0/i586/openldap-tests-2.4.19-2.2mdv2010.0.i586.rpm 
 a24ee1aeff19f2532440793bc059c147  2010.0/SRPMS/openldap-2.4.19-2.2mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 e649fef25faedd26a2ce13893564bc78  2010.0/x86_64/lib64ldap2.4_2-2.4.19-2.2mdv2010.0.x86_64.rpm
 f41262d928682f552de272d5ca37e74a  2010.0/x86_64/lib64ldap2.4_2-devel-2.4.19-2.2mdv2010.0.x86_64.rpm
 defba9c212decee74be8e59910624cdf  2010.0/x86_64/lib64ldap2.4_2-static-devel-2.4.19-2.2mdv2010.0.x86_64.rpm
 894f8526475ac4285740e09ddd47d114  2010.0/x86_64/openldap-2.4.19-2.2mdv2010.0.x86_64.rpm
 a3058348fb23cd8675a6c8ff7ee3a71e  2010.0/x86_64/openldap-clients-2.4.19-2.2mdv2010.0.x86_64.rpm
 1dc37b6747bce657406d34d53356ef58  2010.0/x86_64/openldap-doc-2.4.19-2.2mdv2010.0.x86_64.rpm
 67272438e2f318498b59035305832f22  2010.0/x86_64/openldap-servers-2.4.19-2.2mdv2010.0.x86_64.rpm
 ee723e923d9fc1e9d8d4c4031746ed42  2010.0/x86_64/openldap-testprogs-2.4.19-2.2mdv2010.0.x86_64.rpm
 69102731a88f0f56b5555a57c2884e50  2010.0/x86_64/openldap-tests-2.4.19-2.2mdv2010.0.x86_64.rpm 
 a24ee1aeff19f2532440793bc059c147  2010.0/SRPMS/openldap-2.4.19-2.2mdv2010.0.src.rpm

 Mandriva Linux 2010.1:
 e4d21c1d7b63e87b15b98feff9545dbe  2010.1/i586/libldap2.4_2-2.4.22-2.2mdv2010.2.i586.rpm
 a78754a11d32fbec86c001d5115aa462  2010.1/i586/libldap2.4_2-devel-2.4.22-2.2mdv2010.2.i586.rpm
 c04365b9aec2b669eae606e83445ec57  2010.1/i586/libldap2.4_2-static-devel-2.4.22-2.2mdv2010.2.i586.rpm
 c5c4ef75c70ad30c431967a40c9b44bd  2010.1/i586/openldap-2.4.22-2.2mdv2010.2.i586.rpm
 fe450ae5ad6aed49ef166a98e57fca89  2010.1/i586/openldap-clients-2.4.22-2.2mdv2010.2.i586.rpm
 4b5f3f22273324c8738149aaab18ff4e  2010.1/i586/openldap-doc-2.4.22-2.2mdv2010.2.i586.rpm
 02351f80d3194c01b7502f89093a6bd1  2010.1/i586/openldap-servers-2.4.22-2.2mdv2010.2.i586.rpm
 bae40a5c9bad9c4676c5a182048bf1b4  2010.1/i586/openldap-testprogs-2.4.22-2.2mdv2010.2.i586.rpm
 a29483138d46b3bf5b0cf95725a11838  2010.1/i586/openldap-tests-2.4.22-2.2mdv2010.2.i586.rpm 
 ce7b1b69d9c6697e20cef30134912601  2010.1/SRPMS/openldap-2.4.22-2.2mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 afc9a2923eff6a9323f7880f47a286ab  2010.1/x86_64/lib64ldap2.4_2-2.4.22-2.2mdv2010.2.x86_64.rpm
 b3474f085ea699e469b6052fb9ea8ef9  2010.1/x86_64/lib64ldap2.4_2-devel-2.4.22-2.2mdv2010.2.x86_64.rpm
 f5c33620b65d7cd30458cf8ec2363551  2010.1/x86_64/lib64ldap2.4_2-static-devel-2.4.22-2.2mdv2010.2.x86_64.rpm
 2517dd44ea0ce60d9237a9694e8b61c8  2010.1/x86_64/openldap-2.4.22-2.2mdv2010.2.x86_64.rpm
 6020389abdadb62959576b86a815db43  2010.1/x86_64/openldap-clients-2.4.22-2.2mdv2010.2.x86_64.rpm
 60b042d6af3241c3077fb075802fac7b  2010.1/x86_64/openldap-doc-2.4.22-2.2mdv2010.2.x86_64.rpm
 de6b6c2352843510af1b8cc2c34f5f10  2010.1/x86_64/openldap-servers-2.4.22-2.2mdv2010.2.x86_64.rpm
 03e5c6edcbaab7f5ce6d986e072dcf3a  2010.1/x86_64/openldap-testprogs-2.4.22-2.2mdv2010.2.x86_64.rpm
 8335e92188ee9c9dae2424d28139d8e6  2010.1/x86_64/openldap-tests-2.4.22-2.2mdv2010.2.x86_64.rpm 
 ce7b1b69d9c6697e20cef30134912601  2010.1/SRPMS/openldap-2.4.22-2.2mdv2010.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNkwhAmqjQ0CJFipgRAuaeAKDgmDQCP1tOmkos1k1ak9r2oQLNCQCfcpue
raOCruPPotX5/UgHpWvB04s=
=P5a+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ