[Pkg-openldap-devel] [SRM] (PRSC) Security fixes and possible database corruption
Jonathan Wiltshire
jmw at debian.org
Mon Mar 28 21:24:49 UTC 2011
On Mon, Mar 28, 2011 at 10:21:14PM +0100, Jonathan Wiltshire wrote:
> On Mon, Mar 28, 2011 at 10:41:23PM +0200, Matthijs Möhlmann wrote:
> > CVE-2011-1081:
> > modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to cause a denial of service (daemon crash) via a relative Distinguished Name (DN) modification request (aka MODRDN operation) that contains an empty value for the OldDN field.
> > Fix: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/modrdn.c.diff?hideattic=1&r1=text&tr1=1.181&r2=text&tr2=1.182&f=c
> > Impact: High, possibility to remotely crash slapd.
>
> This is new in the tracker, and so might be DSA material. Security team,
> can you decide if this should be a point release or a DSA please?
Sorry, I meant to add - if this is indeed fixed as a DSA, the other two issues
can be rolled up in it.
--
Jonathan Wiltshire jmw at debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20110328/ecfdfda5/attachment.pgp>
More information about the Pkg-openldap-devel
mailing list