OpenLDAP Project wrote:
OpenLDAP 2.3.35 is now available for download as detailed on our download page: http://www.openldap.org/software/download/
and should soon be available on all official mirrors: ftp://ftp.openldap.org/pub/OpenLDAP/MIRRORS
This is a maintenance release and is made available for general use. Users of OpenLDAP Software are encouraged to upgrade.
Significant contributors to this release include: Quanah Gibson-Mount (Stanford) Pierangelo Masarati (SysNet) Howard Chu (Symas)
-- The OpenLDAP Project
OpenLDAP 2.3.35 Release (2007/04/09) Fixed ldapmodify to use correct memory free functions (ITS#4901) Fixed slapd acl set minor typo (ITS#4874) Fixed slapd entry consistency check in str2entry2 (ITS#4852) Fixed slapd ldapi:// credential issue (ITS#4893)
ITS#4893 addresses security implications on HPUX. If you're using ldapi:// on HPUX 11 it is possible for regular users to bind to the directory with the credentials of Unix root. Similar exploits may be possible on AIX 5.1 and older, and Solaris 2.9 and older. This release disables the insecure credential passing mechanism on these OS versions; if you were relying on SASL/EXTERNAL authentication with ldapi:// on the affected platforms that mechanism will no longer work after you install this release.
We may re-enable these mechanisms in a later update, depending on user demand. In the meantime, if you're using ldapi:// on these platforms, you need to stop or upgrade to this release ASAP. Workarounds are still being tested and will be made available as they become ready.
openldap-software@openldap.org