Full_Name: Luben Karavelov Version: 2.4.11-15 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (78.83.96.32)

We use ldap for some user accounts authentication here and we have found that queries of this kind :

ldapsearch -b "dc=users,dc=example,dc=com" "(&(objectClass=posixAccount)(uid=))"

kill slapd. It exits on assert( 0 ) at line 1366 of back-sql/search.c

It is even nastier because it could be remotely triggered with

ssh -l "" server-with-ldap-accounts-in-nss.example.com

or through ftp using the same technique.