Gentoo Logo

OpenLDAP: Denial of Service vulnerability

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200611-25 / openldap
Release Date November 28, 2006
Latest Revision November 28, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-nds/openldap < 2.3.27-r3 >= 2.3.27-r3, revision >= 2.2.28-r5, revision >= 2.1.30-r8 All supported architectures

Related bugreports: #154349

Synopsis

A flaw in OpenLDAP allows remote unauthenticated attackers to cause a Denial of Service.

2.  Impact Information

Background

OpenLDAP is a suite of LDAP-related applications and development tools.

Description

Evgeny Legerov has discovered that the truncation of an incoming authcid longer than 255 characters and ending with a space as the 255th character will lead to an improperly computed name length. This will trigger an assert in the libldap code.

Impact

By sending a BIND request with a specially crafted authcid parameter to an OpenLDAP service, a remote attacker can cause the service to crash.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All OpenLDAP users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose "net-nds/openldap"

4.  References

Print

Updated November 28, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Support OSL

Support OSL

Gentoo Centric Hosting: vr.org

VR Hosted

Tek Alchemy

Tek Alchemy

SevenL.net

SevenL.net

Global Netoptex Inc.

Global Netoptex Inc.

Bytemark

Bytemark
Copyright 2001-2008 Gentoo Foundation, Inc. Questions, Comments? Contact us.