I haven't seen any announcement of this other than on security lists, but there's an unauthenticated remote DoS bug in 2.4.40:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776991
The actual ITS is a bit confusing, the reporter at one point says he had the issue with a beta version of 2.4.40 and it didn't work against release, but debian confirmed it kills their official 2.4.40 package and it caused a segfault against my gentoo 2.4.40 release, so if you're running 2.4.40 (older versions not vulnerable), it's probably worth applying the patch from head:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=2f1a2dd329...
I rebuilt my 2.4.40 with this and it no longer dies when the PoC query is issued.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 02/06/15 13:47, Paul B. Henson wrote:
I haven't seen any announcement of this other than on security lists, but there's an unauthenticated remote DoS bug in 2.4.40:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776991
The actual ITS is a bit confusing, the reporter at one point says he had the issue with a beta version of 2.4.40 and it didn't work against release, but debian confirmed it kills their official 2.4.40 package and it caused a segfault against my gentoo 2.4.40 release, so if you're running 2.4.40 (older versions not vulnerable), it's probably worth applying the patch from head:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=2f1a2dd329...
I rebuilt my 2.4.40 with this and it no longer dies when the PoC query is issued.
Is there a CVE number for this one?
Thanks in advance!
Cheers, - -- Xin LI delphij@delphij.net https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die
On Fri, Feb 06, 2015 at 02:09:47PM -0800, Xin Li wrote:
Is there a CVE number for this one?
There's been a request:
http://www.openwall.com/lists/oss-security/2015/02/06/3
but I haven't seen one assigned.
I forgot to mention there's also a remote DoS in the deref overlay in slapd 2.4.13 through 2.4.40, as I don't use that.
openldap-technical@openldap.org
-
Paul B. Henson -
Xin Li