-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 02/06/15 13:47, Paul B. Henson wrote:
I haven't seen any announcement of this other than on security lists, but there's an unauthenticated remote DoS bug in 2.4.40:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776991
The actual ITS is a bit confusing, the reporter at one point says he had the issue with a beta version of 2.4.40 and it didn't work against release, but debian confirmed it kills their official 2.4.40 package and it caused a segfault against my gentoo 2.4.40 release, so if you're running 2.4.40 (older versions not vulnerable), it's probably worth applying the patch from head:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=2f1a2dd329...
I rebuilt my 2.4.40 with this and it no longer dies when the PoC query is issued.
Is there a CVE number for this one?
Thanks in advance!
Cheers, - -- Xin LI delphij@delphij.net https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die