[Pkg-openldap-devel] [SRM] (PRSC) Security fixes and possible database corruption

Matthijs Möhlmann matthijs at cacholong.nl
Tue Mar 29 06:38:58 UTC 2011 

On Mar 28, 2011, at 11:36 PM, Adam D. Barratt wrote:

> Hi,
> 
> Thanks for working on fixing issues in stable.
> 
> On Mon, 2011-03-28 at 22:41 +0200, Matthijs Möhlmann wrote:
>> According to bug #617606 there are currently 2 CVE's open.
>> CVE-2011-1024:
> [...]
>> CVE-2011-1025:
> 
> These look okay, although it doesn't appear that they've been resolved
> in unstable yet?  If so, that really should be done first.  Once the
> patches have been tested in unstable, we can then look again at applying
> them to stable.
> 
>> CVE-2011-1081:
>> modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to cause a denial of service (daemon crash) via a relative Distinguished Name (DN) modification request (aka MODRDN operation) that contains an empty value for the OldDN field.
>> Fix: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/modrdn.c.diff?hideattic=1&r1=text&tr1=1.181&r2=text&tr2=1.182&f=c
>> Impact: High, possibility to remotely crash slapd.
> 
> The security tracker indicates that this CVE hasn't yet been checked for
> its applicability to and impact on Debian.  Have you confirmed with the
> security team that they don't wish to handle this?
> 

No I havent confirmed with the security team. I'll file a ticket in their bug
tracking and then they can decide what to do. As suggested by Michael Gilbert.

>> Then we have a possible database corruption (introduced by patch service-operational-before-detach (debian specific))
>> Fix: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=service-operational-before-detach;att=1;bug=616164
>> Above fix is the new patch for service-operational-before-detach.
> 
> Looking at the upstream commits, should servers/slapd/main.c r1.279 be
> included here?  As with the earlier patches, this should also be tested
> in unstable before being applied to stable.
> 
> Regards,
> 
> Adam

You are right, I shouldn't blindly copy patches. Thanks for the notice.

Regards,

Matthijs Möhlmann

More information about the Pkg-openldap-devel mailing list