Howard Chu wrote:
ryan@nardis.ca wrote:
Full_Name: Ryan Tandy Version: master (7df548d), RE24 (2b14bbc) OS: Debian unstable URL: Submission from: (NULL) (142.32.208.227)
If you use the deref control but leave the list of requested attributes empty, slapd crashes.
ldapsearch [...] -E deref=member:
The ldapsearch manpage implies this probably isn't valid, but it still accepted it. (FWIW, I tried it just to see whether it would return all attributes or none.) I couldn't tell from draft-ldap-deref-00 whether an empty attr list is considered a valid request.
Patched in master to reject a request with an empty attr list.
For future reference, this was registered as CVE-2015-1545.