[CLA-2001:417] Conectiva Linux Security Announcement - openldap

From: secure@conectiva.com.br
Date: 08/29/01

Previous message: secure@conectiva.com.br: "[CLA-2001:416] Conectiva Linux Security Announcement - xinetd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 29 Aug 2001 15:47:55 -0300
Message-Id: <200108291847.PAA24834@frajuto.distro.conectiva>
To: conectiva-updates@papaleguas.conectiva.com.br, linuxlist@securityportal.com, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com
Subject: [CLA-2001:417] Conectiva Linux Security Announcement - openldap
From: secure@conectiva.com.br

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE : openldap
SUMMARY : Remote DoS vulnerability in openldap
DATE : 2001-08-29 15:47:00
ID : CLA-2001:417
RELEVANT
RELEASES : 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
OpenLDAP is an LDAPv2 and LDAPv3 (starting with version 2.0.x)
server.
The PROTOS[2] project conducted several protocol tests with many
different LDAP servers. It was verified[3] that OpenLDAP versions
before 1.2.11 and 2.0.8 (from the 2.0.x series) have a remote denial
of service vulnerability that allows a remote attacker to disrupt the
service.

SOLUTION
It is recommended that all OpenLDAP users upgrade their packages.
Some remarks:
- it IS necessary to manually restart the service after applying the
update. Execute "/etc/rc.d/init.d/ldap restart";
- the openldap2 package (please note the version number together with
the name) supplied for CL6.0 is experimental, openldap-1.2.x is the
recommended version for that distribution. In particular, it is not
possible to have openldap version 1.2.x and openldap2 installed at
the same time in CL6.0;
- the openldap1 package (please note the version number together with
the name) supplied for CL7.0 only has the dynamic libraries in it: no
program in CL7.0 requires this package and is is provided only for
compatibility reasons.

REFERENCES
1. http://www.cert.org/advisories/CA-2001-18.html
2. http://www.ee.oulu.fi/research/ouspg/protos/
3.
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/index.html
4. http://www.openldap.org
5. http://www.kb.cert.org/vuls/id/935800

ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):

rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7jTja42jd0JmAcZARAl5nAKDkzNhEcUS86hU8QBobyz/XJwrj/wCgqy7B
r/mD2GHelkoL/PoTuTCV7eo=
=Hz7L
-----END PGP SIGNATURE-----

Previous message: secure@conectiva.com.br: "[CLA-2001:416] Conectiva Linux Security Announcement - xinetd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[CLA-2003:685] Conectiva Security Announcement - openldap
... CONECTIVA LINUX SECURITY ANNOUNCEMENT ... This update addresses the following issues in the OpenLDAP package ... The OpenLDAP packages shipped with Conectiva Linux 9 do not have ... Detailed instructions reagarding the use of apt and upgrade examples ...
(Bugtraq)
[CLA-2002:556] Conectiva Linux Security Announcement - openldap
... The SuSE Security Team reviewed critical parts of the OpenLDAP code ... and found several remote and local vulnerabilities, ... It is recommended that all OpenLDAP 2.x users upgrade their packages. ... Detailed instructions reagarding the use of apt and upgrade examples ...
(Bugtraq)
Re: openldap
... I am trying to get the openldap version of slapd from ituglib to ... packages use a ./configure, read the messages it writes carefully -- ... I hope someone with direct experience with using openldap on NonStop ...
(comp.sys.tandem)
[CLA-2002:459] Conectiva Linux Security Announcement - openldap
... The OpenLDAP project has releaseda new version to address this ... It is recommended that all OpenLDAP 2.0.x users upgrade their ... DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ... Detailed instructions reagarding the use of apt and upgrade examples ...
(Bugtraq)
[CLA-2004:889] Conectiva Security Announcement - sasl2
... It is recommended that all sasl2 users upgrade their packages. ... If you are using Conectiva Linux 9, ... Detailed instructions regarding the use of apt and upgrade examples ...
(Bugtraq)