SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Directory)  >   OpenLDAP Vendors:   OpenLDAP.org
(Conectiva Issues Fix) OpenLDAP Directory Server Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1002371
SecurityTracker URL:  http://securitytracker.com/id/1002371
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 8 2001
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   CERT announced a vulnerability in the OpenLDAP implementation of the LDAP protocol that allows a remote user to cause the directory services to crash.

These vulnerabilities reportedly exist in the code that translates network datagrams into application-specific information. The server improperly processes packets with an invalid BER length specified for various length fields.
Impact:   A remote user can cause the directory services to crash.
Solution:   The vendor has released a fix. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix.
Vendor URL:  www.openldap.org/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:   Linux (Conectiva)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 17 2001 OpenLDAP Directory Server Can Be Crashed By Remote Users


 Source Message Contents
Date:  Wed, 29 Aug 2001 15:47:55 -0300
Subject:  [conectiva-updates] [CLA-2001:417] Conectiva Linux Security Announcement - openldap


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : openldap
SUMMARY   : Remote DoS vulnerability in openldap
DATE      : 2001-08-29 15:47:00
ID        : CLA-2001:417
RELEVANT
RELEASES  : 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
 OpenLDAP is an LDAPv2 and LDAPv3 (starting with version 2.0.x)
 server.
 The PROTOS[2] project conducted several protocol tests with many
 different LDAP servers. It was verified[3] that OpenLDAP versions
 before 1.2.11 and 2.0.8 (from the 2.0.x series) have a remote denial
 of service vulnerability that allows a remote attacker to disrupt the
 service.


SOLUTION
 It is recommended that all OpenLDAP users upgrade their packages.
 Some remarks:
 - it IS necessary to manually restart the service after applying the
 update. Execute "/etc/rc.d/init.d/ldap restart";
 - the openldap2 package (please note the version number together with
 the name) supplied for CL6.0 is experimental, openldap-1.2.x is the
 recommended version for that distribution. In particular, it is not
 possible to have openldap version 1.2.x and openldap2 installed at
 the same time in CL6.0;
 - the openldap1 package (please note the version number together with
 the name) supplied for CL7.0 only has the dynamic libraries in it: no
 program in CL7.0 requires this package and is is provided only for
 compatibility reasons.
 
 
 REFERENCES
 1. http://www.cert.org/advisories/CA-2001-18.html
 2. http://www.ee.oulu.fi/research/ouspg/protos/
 3.
 http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/index.html
 4. http://www.openldap.org
 5. http://www.kb.cert.org/vuls/id/935800


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/openldap-1.2.12-1U41_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/openldap-devel-1.2.12-1U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/openldap-1.2.12-1U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/openldap-1.2.12-1U42_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/openldap-devel-1.2.12-1U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/openldap-1.2.12-1U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/openldap-1.2.12-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/openldap-devel-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/openldap-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/openldap-1.2.12-1U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/openldap-1.2.12-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/openldap-devel-1.2.12-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openldap-1.2.12-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap-devel-1.2.12-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap-1.2.12-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openldap2-2.0.11-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-devel-2.0.11-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-2.0.11-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-tests-2.0.11-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openldap1-1.2.12-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap1-1.2.12-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/openldap-1.2.12-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openldap-devel-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openldap-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/openldap-1.2.12-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openldap-devel-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openldap-1.2.12-1U50_1cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7jTja42jd0JmAcZARAl5nAKDkzNhEcUS86hU8QBobyz/XJwrj/wCgqy7B
r/mD2GHelkoL/PoTuTCV7eo=
=Hz7L
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC