Debian Security Advisory

DSA-068-1 openldap -- remote DoS

Date Reported:
09 Aug 2001
Affected Packages:
openldap
Vulnerable:
Yes
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 3049.
In Mitre's CVE dictionary: CVE-2001-0977.
CERT's vulnerabilities, advisories and incident notes: CA-2001-18.
More information:
The CERT advisory lists a number of vulnerabilities in various LDAP implementations, based on the results of the PROTOS LDAPv3 test suite. These tests found one problem in OpenLDAP, a free LDAP implementation which is shipped as part of Debian GNU/Linux 2.2.

The problem is that slapd did not handle packets which had BER fields of invalid length and would crash if it received them. An attacker could use this to mount a remote denial of service attack.

This problem has been fixed in version 1.2.12-1, and we recommend that you upgrade your slapd package immediately.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:
http://security.debian.org/dists/stable/updates/main/source/openldap_1.2.12-1.dsc
http://security.debian.org/dists/stable/updates/main/source/openldap_1.2.12-1.tar.gz
Architecture-independent component:
http://security.debian.org/dists/stable/updates/main/binary-all/ldap-rfc_1.2.12-1_all.deb
http://security.debian.org/dists/stable/updates/main/binary-all/libopenldap-runtime_1.2.12-1_all.deb
ARM:
http://security.debian.org/dists/stable/updates/main/binary-arm/libopenldap-dev_1.2.12-1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libopenldap1_1.2.12-1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/openldap-gateways_1.2.12-1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/openldap-utils_1.2.12-1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/openldapd_1.2.12-1_arm.deb
Alpha:
http://security.debian.org/dists/stable/updates/main/binary-alpha/libopenldap-dev_1.2.12-1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libopenldap1_1.2.12-1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/openldap-gateways_1.2.12-1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/openldap-utils_1.2.12-1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/openldapd_1.2.12-1_alpha.deb
Intel IA-32:
http://security.debian.org/dists/stable/updates/main/binary-i386/libopenldap-dev_1.2.12-1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libopenldap1_1.2.12-1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/openldap-gateways_1.2.12-1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/openldap-utils_1.2.12-1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/openldapd_1.2.12-1_i386.deb
Motorola 680x0:
http://security.debian.org/dists/stable/updates/main/binary-m68k/libopenldap-dev_1.2.12-1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libopenldap1_1.2.12-1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/openldap-gateways_1.2.12-1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/openldap-utils_1.2.12-1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/openldapd_1.2.12-1_m68k.deb
PowerPC:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libopenldap-dev_1.2.12-1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libopenldap1_1.2.12-1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/openldap-gateways_1.2.12-1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/openldap-utils_1.2.12-1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/openldapd_1.2.12-1_powerpc.deb
Sun Sparc:
http://security.debian.org/dists/stable/updates/main/binary-sparc/libopenldap-dev_1.2.12-1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libopenldap1_1.2.12-1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/openldap-gateways_1.2.12-1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/openldap-utils_1.2.12-1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/openldapd_1.2.12-1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.