what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2011-056

Mandriva Linux Security Advisory 2011-056
Posted Mar 30, 2011
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2011-056 - chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24, when a master-slave configuration with a chain overlay and ppolicy_forward_updates is used, allows remote authenticated users to bypass external-program authentication by sending an invalid password to a slave server. bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require authentication for the root Distinguished Name, which allows remote attackers to bypass intended access restrictions via an arbitrary password. modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to cause a denial of service via a relative Distinguished Name that contains an empty value for the OldDN field. The updated packages have been patched to correct these issues.

tags | advisory, remote, denial of service, arbitrary, root
systems | linux, mandriva
advisories | CVE-2011-1024, CVE-2011-1025, CVE-2011-1081
SHA-256 | ace7fafa9471fca6031d43a03d644b937b041bcea223a3fb3b08278136c49d2e

Mandriva Linux Security Advisory 2011-056

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2011:056
http://www.mandriva.com/security/
_______________________________________________________________________

Package : openldap
Date : March 30, 2011
Affected: 2010.0, 2010.1
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been identified and fixed in openldap:

chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24,
when a master-slave configuration with a chain overlay and
ppolicy_forward_updates (aka authentication-failure forwarding) is
used, allows remote authenticated users to bypass external-program
authentication by sending an invalid password to a slave server
(CVE-2011-1024).

bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require
authentication for the root Distinguished Name (DN), which allows
remote attackers to bypass intended access restrictions via an
arbitrary password (CVE-2011-1025).

modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote
attackers to cause a denial of service (daemon crash) via a relative
Distinguished Name (DN) modification request (aka MODRDN operation)
that contains an empty value for the OldDN field (CVE-2011-1081).

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1024
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1081
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2010.0:
a5aa1bbb1e057c06c7a579926d166c96 2010.0/i586/libldap2.4_2-2.4.19-2.2mdv2010.0.i586.rpm
7b70f9724e632ac01ae9950ba403ee6e 2010.0/i586/libldap2.4_2-devel-2.4.19-2.2mdv2010.0.i586.rpm
414f0727313a619313742ad711204f5e 2010.0/i586/libldap2.4_2-static-devel-2.4.19-2.2mdv2010.0.i586.rpm
2706caae262f70ee3c508a7659b2046d 2010.0/i586/openldap-2.4.19-2.2mdv2010.0.i586.rpm
c3e50220a700e493e25248b561e4b8e4 2010.0/i586/openldap-clients-2.4.19-2.2mdv2010.0.i586.rpm
69022a5387c098694997e349877edcf2 2010.0/i586/openldap-doc-2.4.19-2.2mdv2010.0.i586.rpm
b7242509b552632e63a5dbff88f5c695 2010.0/i586/openldap-servers-2.4.19-2.2mdv2010.0.i586.rpm
ecfc24a4b48b71142bfcb56618068938 2010.0/i586/openldap-testprogs-2.4.19-2.2mdv2010.0.i586.rpm
2ed3d32741f610ac8dfac3af4ae0aa9f 2010.0/i586/openldap-tests-2.4.19-2.2mdv2010.0.i586.rpm
a24ee1aeff19f2532440793bc059c147 2010.0/SRPMS/openldap-2.4.19-2.2mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:
e649fef25faedd26a2ce13893564bc78 2010.0/x86_64/lib64ldap2.4_2-2.4.19-2.2mdv2010.0.x86_64.rpm
f41262d928682f552de272d5ca37e74a 2010.0/x86_64/lib64ldap2.4_2-devel-2.4.19-2.2mdv2010.0.x86_64.rpm
defba9c212decee74be8e59910624cdf 2010.0/x86_64/lib64ldap2.4_2-static-devel-2.4.19-2.2mdv2010.0.x86_64.rpm
894f8526475ac4285740e09ddd47d114 2010.0/x86_64/openldap-2.4.19-2.2mdv2010.0.x86_64.rpm
a3058348fb23cd8675a6c8ff7ee3a71e 2010.0/x86_64/openldap-clients-2.4.19-2.2mdv2010.0.x86_64.rpm
1dc37b6747bce657406d34d53356ef58 2010.0/x86_64/openldap-doc-2.4.19-2.2mdv2010.0.x86_64.rpm
67272438e2f318498b59035305832f22 2010.0/x86_64/openldap-servers-2.4.19-2.2mdv2010.0.x86_64.rpm
ee723e923d9fc1e9d8d4c4031746ed42 2010.0/x86_64/openldap-testprogs-2.4.19-2.2mdv2010.0.x86_64.rpm
69102731a88f0f56b5555a57c2884e50 2010.0/x86_64/openldap-tests-2.4.19-2.2mdv2010.0.x86_64.rpm
a24ee1aeff19f2532440793bc059c147 2010.0/SRPMS/openldap-2.4.19-2.2mdv2010.0.src.rpm

Mandriva Linux 2010.1:
e4d21c1d7b63e87b15b98feff9545dbe 2010.1/i586/libldap2.4_2-2.4.22-2.2mdv2010.2.i586.rpm
a78754a11d32fbec86c001d5115aa462 2010.1/i586/libldap2.4_2-devel-2.4.22-2.2mdv2010.2.i586.rpm
c04365b9aec2b669eae606e83445ec57 2010.1/i586/libldap2.4_2-static-devel-2.4.22-2.2mdv2010.2.i586.rpm
c5c4ef75c70ad30c431967a40c9b44bd 2010.1/i586/openldap-2.4.22-2.2mdv2010.2.i586.rpm
fe450ae5ad6aed49ef166a98e57fca89 2010.1/i586/openldap-clients-2.4.22-2.2mdv2010.2.i586.rpm
4b5f3f22273324c8738149aaab18ff4e 2010.1/i586/openldap-doc-2.4.22-2.2mdv2010.2.i586.rpm
02351f80d3194c01b7502f89093a6bd1 2010.1/i586/openldap-servers-2.4.22-2.2mdv2010.2.i586.rpm
bae40a5c9bad9c4676c5a182048bf1b4 2010.1/i586/openldap-testprogs-2.4.22-2.2mdv2010.2.i586.rpm
a29483138d46b3bf5b0cf95725a11838 2010.1/i586/openldap-tests-2.4.22-2.2mdv2010.2.i586.rpm
ce7b1b69d9c6697e20cef30134912601 2010.1/SRPMS/openldap-2.4.22-2.2mdv2010.2.src.rpm

Mandriva Linux 2010.1/X86_64:
afc9a2923eff6a9323f7880f47a286ab 2010.1/x86_64/lib64ldap2.4_2-2.4.22-2.2mdv2010.2.x86_64.rpm
b3474f085ea699e469b6052fb9ea8ef9 2010.1/x86_64/lib64ldap2.4_2-devel-2.4.22-2.2mdv2010.2.x86_64.rpm
f5c33620b65d7cd30458cf8ec2363551 2010.1/x86_64/lib64ldap2.4_2-static-devel-2.4.22-2.2mdv2010.2.x86_64.rpm
2517dd44ea0ce60d9237a9694e8b61c8 2010.1/x86_64/openldap-2.4.22-2.2mdv2010.2.x86_64.rpm
6020389abdadb62959576b86a815db43 2010.1/x86_64/openldap-clients-2.4.22-2.2mdv2010.2.x86_64.rpm
60b042d6af3241c3077fb075802fac7b 2010.1/x86_64/openldap-doc-2.4.22-2.2mdv2010.2.x86_64.rpm
de6b6c2352843510af1b8cc2c34f5f10 2010.1/x86_64/openldap-servers-2.4.22-2.2mdv2010.2.x86_64.rpm
03e5c6edcbaab7f5ce6d986e072dcf3a 2010.1/x86_64/openldap-testprogs-2.4.22-2.2mdv2010.2.x86_64.rpm
8335e92188ee9c9dae2424d28139d8e6 2010.1/x86_64/openldap-tests-2.4.22-2.2mdv2010.2.x86_64.rpm
ce7b1b69d9c6697e20cef30134912601 2010.1/SRPMS/openldap-2.4.22-2.2mdv2010.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNkwhAmqjQ0CJFipgRAuaeAKDgmDQCP1tOmkos1k1ak9r2oQLNCQCfcpue
raOCruPPotX5/UgHpWvB04s=
=P5a+
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close