[Bug 1446809] Re: [SRU] denial of service via an LDAP search query with attrsOnly set to true (CVE-2012-1164)

Sebastien Bacher seb128 at ubuntu.com
Mon May 18 14:10:50 UTC 2015 

Thanks, that seems fixed in the current serie, so closing that part and
accepting for precise. Since the issue has a CVE replacing the sponsors
by the security-team sponsors

** Also affects: openldap (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Changed in: openldap (Ubuntu)
       Status: New => Fix Released

** Changed in: openldap (Ubuntu)
   Importance: Undecided => High

** Changed in: openldap (Ubuntu Precise)
       Status: New => Triaged

** Changed in: openldap (Ubuntu Precise)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1446809

Title:
  [SRU] denial of service via an LDAP search query with attrsOnly set to
  true (CVE-2012-1164)

Status in openldap package in Ubuntu:
  Fix Released
Status in openldap source package in Precise:
  Triaged
Status in openldap package in Debian:
  Fix Released

Bug description:
  [Impact]

  * slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a
  denial of service (assertion failure and daemon exit) via an LDAP
  search query with attrsOnly set to true, which causes empty attributes
  to be returned.

  * Trusty ships 2.4.31 which comes with a fix for this.

  [Test Case]

  TBD

  [Regression Potential]

  * this set of patches adds validations to avoid segfaults, so no
  regression is expected.

  [Other Info]

  * Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143
  * http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html
  * Patches backported:
    - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)
    - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)
    - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1446809/+subscriptions

More information about the Ubuntu-sponsors mailing list