6 Feb
2015
6 Feb
'15
1:47 p.m.
I haven't seen any announcement of this other than on security lists, but there's an unauthenticated remote DoS bug in 2.4.40:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776991
The actual ITS is a bit confusing, the reporter at one point says he had the issue with a beta version of 2.4.40 and it didn't work against release, but debian confirmed it kills their official 2.4.40 package and it caused a segfault against my gentoo 2.4.40 release, so if you're running 2.4.40 (older versions not vulnerable), it's probably worth applying the patch from head:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=2f1a2dd329...
I rebuilt my 2.4.40 with this and it no longer dies when the PoC query is issued.