7003811 2001-08-29 15:47 -0300  /127 rader/  <secure@conectiva.com.br>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-29  22:43  av Brevbäraren
Extern mottagare: conectiva-updates@papaleguas.conectiva.com.br
Extern mottagare: linuxlist@securityportal.com
Extern mottagare: lwn@lwn.net
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: security-alerts@linuxsecurity.com
Mottagare: Bugtraq (import) <18992>
Ärende: [CLA-2001:417] Conectiva Linux Security Announcement - openldap
------------------------------------------------------------
From: secure@conectiva.com.br
To: conectiva-updates@papaleguas.conectiva.com.br,
 linuxlist@securityportal.com, lwn@lwn.net, bugtraq@securityfocus.com,
 security-alerts@linuxsecurity.com
Message-ID: <200108291847.PAA24834@frajuto.distro.conectiva>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : openldap
SUMMARY   : Remote DoS vulnerability in openldap
DATE      : 2001-08-29 15:47:00
ID        : CLA-2001:417
RELEVANT
RELEASES  : 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
 OpenLDAP is an LDAPv2 and LDAPv3 (starting with version 2.0.x)
 server.
 The PROTOS[2] project conducted several protocol tests with many
 different LDAP servers. It was verified[3] that OpenLDAP versions
 before 1.2.11 and 2.0.8 (from the 2.0.x series) have a remote denial
 of service vulnerability that allows a remote attacker to disrupt the
 service.


SOLUTION
 It is recommended that all OpenLDAP users upgrade their packages.
 Some remarks:
 - it IS necessary to manually restart the service after applying the
 update. Execute "/etc/rc.d/init.d/ldap restart";
 - the openldap2 package (please note the version number together with
 the name) supplied for CL6.0 is experimental, openldap-1.2.x is the
 recommended version for that distribution. In particular, it is not
 possible to have openldap version 1.2.x and openldap2 installed at
 the same time in CL6.0;
 - the openldap1 package (please note the version number together with
 the name) supplied for CL7.0 only has the dynamic libraries in it: no
 program in CL7.0 requires this package and is is provided only for
 compatibility reasons.
 
 
 REFERENCES 1. http://www.cert.org/advisories/CA-2001-18.html
 2. http://www.ee.oulu.fi/research/ouspg/protos/ 3.
 http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/index.html
 4. http://www.openldap.org 5. http://www.kb.cert.org/vuls/id/935800


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/openldap-1.2.12-1U41_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/openldap-devel-1.2.12-1U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/openldap-1.2.12-1U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/openldap-1.2.12-1U42_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/openldap-devel-1.2.12-1U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/openldap-1.2.12-1U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/openldap-1.2.12-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/openldap-devel-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/openldap-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/openldap-1.2.12-1U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/openldap-1.2.12-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/openldap-devel-1.2.12-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openldap-1.2.12-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap-devel-1.2.12-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap-1.2.12-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openldap2-2.0.11-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-devel-2.0.11-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-2.0.11-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-tests-2.0.11-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openldap1-1.2.12-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap1-1.2.12-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/openldap-1.2.12-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openldap-devel-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openldap-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/openldap-1.2.12-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openldap-devel-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openldap-1.2.12-1U50_1cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running
CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples
 can be found at
 http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7jTja42jd0JmAcZARAl5nAKDkzNhEcUS86hU8QBobyz/XJwrj/wCgqy7B
r/mD2GHelkoL/PoTuTCV7eo=
=Hz7L
-----END PGP SIGNATURE-----
(7003811) / <secure@conectiva.com.br>/----(Ombruten)