Hi,
some hours ago I found a way to instantly kill our (production -sigh- ) slapd processed with a simple unauthenticated ldap search operation. We are running 2.4.40 (from debian wheezy-backports) in production but I was able to reproduce exactly the same behaviour with 2.4.44 (taken from debian jessie-backports). While I'm building a minimal testcase without internal information so I can provide it to the project (are there more bug submission guidelines than http://www.openldap.org/faq/data/cache/59.html ?), I wanted to ask how you want me to handle this in my eyes quite serious incident. Should I just post it to the mailing list or do you prefer a non-public transmission first so the bug does not get exploited in a denial of service use case before you had the chance to come up with a fix? I will also try to verify if the problem is still existing in the current git master or self compiled 2.4.44.
Best regards, Karsten
Karsten Heymann wrote:
Should I just post it to the mailing list or do you prefer a non-public transmission first so the bug does not get exploited in a denial of service use case before you had the chance to come up with a fix?
If you feel an issue is very sensitive you can set radio button "Major Security Issue?" to "yes" when filing the bug report via [New Issue Report] here:
http://www.openldap.org/its/index.cgi
Ciao, Michael.
2017-05-16 14:54 GMT+02:00 Michael Ströder michael@stroeder.com:
If you feel an issue is very sensitive you can set radio button "Major Security Issue?" to "yes" when filing the bug report via [New Issue Report] here:
Thanks, will do that as soon as I have usable information collected.
BR Karsten
openldap-technical@openldap.org
-
Karsten Heymann -
Michael Ströder