7003811 2001-08-29 15:47 -0300 /127 rader/ <secure@conectiva.com.br> Sänt av: joel@lysator.liu.se Importerad: 2001-08-29 22:43 av Brevbäraren Extern mottagare: conectiva-updates@papaleguas.conectiva.com.br Extern mottagare: linuxlist@securityportal.com Extern mottagare: lwn@lwn.net Extern mottagare: bugtraq@securityfocus.com Extern mottagare: security-alerts@linuxsecurity.com Mottagare: Bugtraq (import) <18992> Ärende: [CLA-2001:417] Conectiva Linux Security Announcement - openldap ------------------------------------------------------------ From: secure@conectiva.com.br To: conectiva-updates@papaleguas.conectiva.com.br, linuxlist@securityportal.com, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com Message-ID: <200108291847.PAA24834@frajuto.distro.conectiva> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : openldap SUMMARY : Remote DoS vulnerability in openldap DATE : 2001-08-29 15:47:00 ID : CLA-2001:417 RELEVANT RELEASES : 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0 - ------------------------------------------------------------------------- DESCRIPTION OpenLDAP is an LDAPv2 and LDAPv3 (starting with version 2.0.x) server. The PROTOS[2] project conducted several protocol tests with many different LDAP servers. It was verified[3] that OpenLDAP versions before 1.2.11 and 2.0.8 (from the 2.0.x series) have a remote denial of service vulnerability that allows a remote attacker to disrupt the service. SOLUTION It is recommended that all OpenLDAP users upgrade their packages. Some remarks: - it IS necessary to manually restart the service after applying the update. Execute "/etc/rc.d/init.d/ldap restart"; - the openldap2 package (please note the version number together with the name) supplied for CL6.0 is experimental, openldap-1.2.x is the recommended version for that distribution. In particular, it is not possible to have openldap version 1.2.x and openldap2 installed at the same time in CL6.0; - the openldap1 package (please note the version number together with the name) supplied for CL7.0 only has the dynamic libraries in it: no program in CL7.0 requires this package and is is provided only for compatibility reasons. REFERENCES 1. http://www.cert.org/advisories/CA-2001-18.html 2. http://www.ee.oulu.fi/research/ouspg/protos/ 3. http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/index.html 4. http://www.openldap.org 5. http://www.kb.cert.org/vuls/id/935800 DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/openldap-1.2.12-1U41_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/openldap-devel-1.2.12-1U41_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/openldap-1.2.12-1U41_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/openldap-1.2.12-1U42_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/openldap-devel-1.2.12-1U42_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/openldap-1.2.12-1U42_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/openldap-1.2.12-1U50_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/openldap-devel-1.2.12-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/openldap-1.2.12-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/openldap-1.2.12-1U51_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/openldap-1.2.12-1U51_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/openldap-devel-1.2.12-1U51_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openldap-1.2.12-1U60_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap-devel-1.2.12-1U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap-1.2.12-1U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openldap2-2.0.11-1U60_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-devel-2.0.11-1U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-2.0.11-1U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-tests-2.0.11-1U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openldap1-1.2.12-1U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap1-1.2.12-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/openldap-1.2.12-1U50_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openldap-devel-1.2.12-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openldap-1.2.12-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/openldap-1.2.12-1U50_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openldap-devel-1.2.12-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openldap-1.2.12-1U50_1cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7jTja42jd0JmAcZARAl5nAKDkzNhEcUS86hU8QBobyz/XJwrj/wCgqy7B r/mD2GHelkoL/PoTuTCV7eo= =Hz7L -----END PGP SIGNATURE----- (7003811) / <secure@conectiva.com.br>/----(Ombruten)