-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:142 http://www.mandriva.com/security/ _______________________________________________________________________ Package : openldap Date : July 28, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in openldap: The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does not check the return value of a call to the smr_normalize function, which allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a modrdn call with an RDN string containing invalid UTF-8 sequences, which triggers a free of an invalid, uninitialized pointer in the slap_mods_free function, as demonstrated using the Codenomicon LDAPv3 test suite (CVE-2010-0211). OpenLDAP 2.4.22 allows remote attackers to cause a denial of service (crash) via a modrdn call with a zero-length RDN destination string, which is not properly handled by the smr_normalize function and triggers a NULL pointer dereference in the IA5StringNormalize function in schema_init.c, as demonstrated using the Codenomicon LDAPv3 test suite (CVE-2010-0212). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0211 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0212 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: a7040ed1d2e4922f3c20d8183d45f5a9 2008.0/i586/libldap2.3_0-2.3.38-3.5mdv2008.0.i586.rpm b1c09c5812b180b01fb82462be3a1227 2008.0/i586/libldap2.3_0-devel-2.3.38-3.5mdv2008.0.i586.rpm 64010da2c45dcc2fcdc959dca532e43f 2008.0/i586/libldap2.3_0-static-devel-2.3.38-3.5mdv2008.0.i586.rpm af8ba2a7984616b44e6e97e70e09e684 2008.0/i586/openldap-2.3.38-3.5mdv2008.0.i586.rpm 19fa25f30f69d5036b66358a1e964b98 2008.0/i586/openldap-clients-2.3.38-3.5mdv2008.0.i586.rpm 8cec1f954d49079739101464ba424862 2008.0/i586/openldap-doc-2.3.38-3.5mdv2008.0.i586.rpm b6c2a87d11d9022f53a1488cf15bf58a 2008.0/i586/openldap-servers-2.3.38-3.5mdv2008.0.i586.rpm 9e135815d465c821300215115b194c95 2008.0/i586/openldap-testprogs-2.3.38-3.5mdv2008.0.i586.rpm bc1239e1cb30f2c27a4532711fb9daeb 2008.0/i586/openldap-tests-2.3.38-3.5mdv2008.0.i586.rpm b5889315b832465659ff66503bb6944d 2008.0/SRPMS/openldap-2.3.38-3.5mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: dffb422c6ad84b4f682b271165125245 2008.0/x86_64/lib64ldap2.3_0-2.3.38-3.5mdv2008.0.x86_64.rpm 05e51f393f9b683ee5f309a001f94453 2008.0/x86_64/lib64ldap2.3_0-devel-2.3.38-3.5mdv2008.0.x86_64.rpm 40cf33cd99e57d50bca4207350c7a4ee 2008.0/x86_64/lib64ldap2.3_0-static-devel-2.3.38-3.5mdv2008.0.x86_64.rpm e72e6b9fdbf6124e709709eeb53a5424 2008.0/x86_64/openldap-2.3.38-3.5mdv2008.0.x86_64.rpm 2d67e3045491a73c1ecca4ee148f890f 2008.0/x86_64/openldap-clients-2.3.38-3.5mdv2008.0.x86_64.rpm 39bbd7bd39c82ffe083427e4649cfba5 2008.0/x86_64/openldap-doc-2.3.38-3.5mdv2008.0.x86_64.rpm fcbb12e9a4674a4a92dd04b695ca762d 2008.0/x86_64/openldap-servers-2.3.38-3.5mdv2008.0.x86_64.rpm 1dac71eccd0ccdfc3aeda5a78df892e7 2008.0/x86_64/openldap-testprogs-2.3.38-3.5mdv2008.0.x86_64.rpm cb1dbab5ebc78c59f048da91b9703361 2008.0/x86_64/openldap-tests-2.3.38-3.5mdv2008.0.x86_64.rpm b5889315b832465659ff66503bb6944d 2008.0/SRPMS/openldap-2.3.38-3.5mdv2008.0.src.rpm Mandriva Linux 2009.0: d457f06402953bf41d9ac66ac6a7aa64 2009.0/i586/libldap2.4_2-2.4.11-3.3mdv2009.0.i586.rpm 855126a1464aa00580886d3f3b7a317b 2009.0/i586/libldap2.4_2-devel-2.4.11-3.3mdv2009.0.i586.rpm 9dbf0408c39216a0a142195f5b47a51a 2009.0/i586/libldap2.4_2-static-devel-2.4.11-3.3mdv2009.0.i586.rpm 82f7e36d37f009942bb105092c21b280 2009.0/i586/openldap-2.4.11-3.3mdv2009.0.i586.rpm 16dbf378a19902713c0f9bba31358455 2009.0/i586/openldap-clients-2.4.11-3.3mdv2009.0.i586.rpm af3cf5fc20e6cfa2d44efc50116f84c5 2009.0/i586/openldap-doc-2.4.11-3.3mdv2009.0.i586.rpm d5727d9472d31123a8c3b4a284af2d52 2009.0/i586/openldap-servers-2.4.11-3.3mdv2009.0.i586.rpm 32a5895f78bea22a051699b4ed9f93f3 2009.0/i586/openldap-testprogs-2.4.11-3.3mdv2009.0.i586.rpm fadb9e6d3a595249bf88ae48c609adc5 2009.0/i586/openldap-tests-2.4.11-3.3mdv2009.0.i586.rpm 0a0568f3eca320267b4f6b2e9d5f99de 2009.0/SRPMS/openldap-2.4.11-3.3mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 1f0dc305dec801e492edc84fc8e00061 2009.0/x86_64/lib64ldap2.4_2-2.4.11-3.3mdv2009.0.x86_64.rpm 77c3389cf341cd2a72d6e8161cd1f894 2009.0/x86_64/lib64ldap2.4_2-devel-2.4.11-3.3mdv2009.0.x86_64.rpm 85bfe02ab43114eabc65069b1a2b3360 2009.0/x86_64/lib64ldap2.4_2-static-devel-2.4.11-3.3mdv2009.0.x86_64.rpm 7721bf8ad4bc1aaf0ca09caa5aefb73e 2009.0/x86_64/openldap-2.4.11-3.3mdv2009.0.x86_64.rpm 178cb0b7a75110d6b64bbd341d08b91a 2009.0/x86_64/openldap-clients-2.4.11-3.3mdv2009.0.x86_64.rpm f75365bb8422154dcc16fb73a8bd5410 2009.0/x86_64/openldap-doc-2.4.11-3.3mdv2009.0.x86_64.rpm 7604c5d721c630348174a453467ac799 2009.0/x86_64/openldap-servers-2.4.11-3.3mdv2009.0.x86_64.rpm 614334ed8ef6303f6709f2e950915375 2009.0/x86_64/openldap-testprogs-2.4.11-3.3mdv2009.0.x86_64.rpm 875faf8dee0e61a0f7188a3d3ae5b885 2009.0/x86_64/openldap-tests-2.4.11-3.3mdv2009.0.x86_64.rpm 0a0568f3eca320267b4f6b2e9d5f99de 2009.0/SRPMS/openldap-2.4.11-3.3mdv2009.0.src.rpm Mandriva Linux 2009.1: d4a2d41cca258c0dc87ea657d0e00569 2009.1/i586/libldap2.4_2-2.4.16-1.2mdv2009.1.i586.rpm 036c89da1ea3d782d6c226078cf21d4f 2009.1/i586/libldap2.4_2-devel-2.4.16-1.2mdv2009.1.i586.rpm 70831a1fe028692aaa03cd02c2cfb400 2009.1/i586/libldap2.4_2-static-devel-2.4.16-1.2mdv2009.1.i586.rpm f568004ca21b2fd01edf99c80ced540c 2009.1/i586/openldap-2.4.16-1.2mdv2009.1.i586.rpm a231549516ab4eda4c60870523ede860 2009.1/i586/openldap-clients-2.4.16-1.2mdv2009.1.i586.rpm c1878219fc5b93d391d3a2c0ff0ed8f1 2009.1/i586/openldap-doc-2.4.16-1.2mdv2009.1.i586.rpm 5806259034d52c3141f956a66f0d9976 2009.1/i586/openldap-servers-2.4.16-1.2mdv2009.1.i586.rpm 7672b9cefc322b508766a1925be60604 2009.1/i586/openldap-testprogs-2.4.16-1.2mdv2009.1.i586.rpm df0577b169fa72546927fddb6af86ab5 2009.1/i586/openldap-tests-2.4.16-1.2mdv2009.1.i586.rpm 77bd37ef46df1b87d1a43ade6a6c6097 2009.1/SRPMS/openldap-2.4.16-1.2mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: c68af2323836b445663c47a9093136ca 2009.1/x86_64/lib64ldap2.4_2-2.4.16-1.2mdv2009.1.x86_64.rpm 1943dc9365929b6affc05feeafe4078a 2009.1/x86_64/lib64ldap2.4_2-devel-2.4.16-1.2mdv2009.1.x86_64.rpm 43ab67b061a6673799b420f61f2f9030 2009.1/x86_64/lib64ldap2.4_2-static-devel-2.4.16-1.2mdv2009.1.x86_64.rpm ba150d3290773567135bef70620041c5 2009.1/x86_64/openldap-2.4.16-1.2mdv2009.1.x86_64.rpm 251b0e0b679f1f1c510b2ae8c7dcaac4 2009.1/x86_64/openldap-clients-2.4.16-1.2mdv2009.1.x86_64.rpm c75ae8daf5f7b9524c4d0999fefc6bf8 2009.1/x86_64/openldap-doc-2.4.16-1.2mdv2009.1.x86_64.rpm f1c4de1210c7b57f1b10c741bbb133dd 2009.1/x86_64/openldap-servers-2.4.16-1.2mdv2009.1.x86_64.rpm 5b45a0d4fb15c71603cd9a04c5c0edaa 2009.1/x86_64/openldap-testprogs-2.4.16-1.2mdv2009.1.x86_64.rpm 15623d71c00fe261d94153c5325a0b0a 2009.1/x86_64/openldap-tests-2.4.16-1.2mdv2009.1.x86_64.rpm 77bd37ef46df1b87d1a43ade6a6c6097 2009.1/SRPMS/openldap-2.4.16-1.2mdv2009.1.src.rpm Mandriva Linux 2010.0: c582f97df88d740b268adebe603a3d9e 2010.0/i586/libldap2.4_2-2.4.19-2.1mdv2010.0.i586.rpm da58a1da19074e4342689ddc4e5cd8c7 2010.0/i586/libldap2.4_2-devel-2.4.19-2.1mdv2010.0.i586.rpm d594623d22db6834d619a9a256f36c95 2010.0/i586/libldap2.4_2-static-devel-2.4.19-2.1mdv2010.0.i586.rpm fbf789c4531c502e8afb28f40739c487 2010.0/i586/openldap-2.4.19-2.1mdv2010.0.i586.rpm 0c17594a7675f3f85edfd212e41eaad2 2010.0/i586/openldap-clients-2.4.19-2.1mdv2010.0.i586.rpm b432b4b453fa686b884111bd528f6888 2010.0/i586/openldap-doc-2.4.19-2.1mdv2010.0.i586.rpm b549adb80109c460f89d7b71e51884f5 2010.0/i586/openldap-servers-2.4.19-2.1mdv2010.0.i586.rpm 4774bc9893190ab1da50a3ca2f515cae 2010.0/i586/openldap-testprogs-2.4.19-2.1mdv2010.0.i586.rpm 14af5b706586c17cc2740447f249521b 2010.0/i586/openldap-tests-2.4.19-2.1mdv2010.0.i586.rpm f136b84e2564e5378fe32f491df92439 2010.0/SRPMS/openldap-2.4.19-2.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: e883d7634277bee4b64dd3ce58531860 2010.0/x86_64/lib64ldap2.4_2-2.4.19-2.1mdv2010.0.x86_64.rpm 78bb96d659e9f4126e7ff22b183d8819 2010.0/x86_64/lib64ldap2.4_2-devel-2.4.19-2.1mdv2010.0.x86_64.rpm c5a8c127d705f840cdfb969a10d529c3 2010.0/x86_64/lib64ldap2.4_2-static-devel-2.4.19-2.1mdv2010.0.x86_64.rpm e47095e0be820d16228ba0e0771c56b3 2010.0/x86_64/openldap-2.4.19-2.1mdv2010.0.x86_64.rpm 06ef73a1261c1cd3e07b1c383346cd7f 2010.0/x86_64/openldap-clients-2.4.19-2.1mdv2010.0.x86_64.rpm 68a09d5efad1c11d9905817a0f4c8b7e 2010.0/x86_64/openldap-doc-2.4.19-2.1mdv2010.0.x86_64.rpm 87fe9ae6f3163f140b4c3c23c9e441f3 2010.0/x86_64/openldap-servers-2.4.19-2.1mdv2010.0.x86_64.rpm 1c2906f3a3e96b7e93e8f10b6caca2a3 2010.0/x86_64/openldap-testprogs-2.4.19-2.1mdv2010.0.x86_64.rpm 30073ad2470aab5ad666669ea7c62dec 2010.0/x86_64/openldap-tests-2.4.19-2.1mdv2010.0.x86_64.rpm f136b84e2564e5378fe32f491df92439 2010.0/SRPMS/openldap-2.4.19-2.1mdv2010.0.src.rpm Mandriva Linux 2010.1: 674061eb33ede2fc880be95eac6b7cbf 2010.1/i586/libldap2.4_2-2.4.22-2.1mdv2010.1.i586.rpm b7014afab8beec155f8b697145284db3 2010.1/i586/libldap2.4_2-devel-2.4.22-2.1mdv2010.1.i586.rpm 6c6f247fcdd3c2267a9d9396b58560c2 2010.1/i586/libldap2.4_2-static-devel-2.4.22-2.1mdv2010.1.i586.rpm bfdfe7c3f80906e5db8b5cd5931b9ec7 2010.1/i586/openldap-2.4.22-2.1mdv2010.1.i586.rpm 602b79a8b1aaed19121afa4748c1f2cd 2010.1/i586/openldap-clients-2.4.22-2.1mdv2010.1.i586.rpm 04097f0a8670dee06050d9241e0985a2 2010.1/i586/openldap-doc-2.4.22-2.1mdv2010.1.i586.rpm 2633b177f01cfd1757917560d740dc90 2010.1/i586/openldap-servers-2.4.22-2.1mdv2010.1.i586.rpm 727df6a967dbbc43412d9bbed65d52e9 2010.1/i586/openldap-testprogs-2.4.22-2.1mdv2010.1.i586.rpm e4bc125bcbc929e93c1d2122ddda6fcf 2010.1/i586/openldap-tests-2.4.22-2.1mdv2010.1.i586.rpm 1bedc617bd912dfd9f4710645298c59d 2010.1/SRPMS/openldap-2.4.22-2.1mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: b4b9ef21a66b0086d3c5d1348dd87392 2010.1/x86_64/lib64ldap2.4_2-2.4.22-2.1mdv2010.1.x86_64.rpm d16d58ed3bf9256771ecfd8996b15d9b 2010.1/x86_64/lib64ldap2.4_2-devel-2.4.22-2.1mdv2010.1.x86_64.rpm dc00ac52a31e05ab6a52e56a786d7c20 2010.1/x86_64/lib64ldap2.4_2-static-devel-2.4.22-2.1mdv2010.1.x86_64.rpm 9e9ec6e05a680ad686e992b13781e671 2010.1/x86_64/openldap-2.4.22-2.1mdv2010.1.x86_64.rpm 889681834ca9262e7601797a8cd9fc30 2010.1/x86_64/openldap-clients-2.4.22-2.1mdv2010.1.x86_64.rpm 94407d4c6204f60650e11ab33584f9d3 2010.1/x86_64/openldap-doc-2.4.22-2.1mdv2010.1.x86_64.rpm a73ca8a93a0eb0ed01f04b15ac250bc2 2010.1/x86_64/openldap-servers-2.4.22-2.1mdv2010.1.x86_64.rpm 6d95ea417328d4467c4f907a764f97d5 2010.1/x86_64/openldap-testprogs-2.4.22-2.1mdv2010.1.x86_64.rpm 2d77b08ce9c751b7d9b944d493c8a677 2010.1/x86_64/openldap-tests-2.4.22-2.1mdv2010.1.x86_64.rpm 1bedc617bd912dfd9f4710645298c59d 2010.1/SRPMS/openldap-2.4.22-2.1mdv2010.1.src.rpm Corporate 4.0: 1c7d8fdf08331f11a3a5eacf6a7d9e32 corporate/4.0/i586/libldap2.3_0-2.3.27-1.7.20060mlcs4.i586.rpm d1ba0c11272c846178fb87a50beb4adf corporate/4.0/i586/libldap2.3_0-devel-2.3.27-1.7.20060mlcs4.i586.rpm 79196cec543c6ef7a3186c23d8a9521c corporate/4.0/i586/libldap2.3_0-static-devel-2.3.27-1.7.20060mlcs4.i586.rpm ddfd3e38f81a0377ba53f76b444c572c corporate/4.0/i586/openldap-2.3.27-1.7.20060mlcs4.i586.rpm de6ccff62b0d20d40909e11352c228e9 corporate/4.0/i586/openldap-clients-2.3.27-1.7.20060mlcs4.i586.rpm 88b5898121e94bccea89daf167f0f752 corporate/4.0/i586/openldap-doc-2.3.27-1.7.20060mlcs4.i586.rpm bab597d960c3beba7c4038707b0e97a4 corporate/4.0/i586/openldap-servers-2.3.27-1.7.20060mlcs4.i586.rpm 76b93fec2d6181b7990e0fd024db1a83 corporate/4.0/SRPMS/openldap-2.3.27-1.7.20060mlcs4.src.rpm Corporate 4.0/X86_64: d473f1746238db1e800ee9a5bcf6d998 corporate/4.0/x86_64/lib64ldap2.3_0-2.3.27-1.7.20060mlcs4.x86_64.rpm d8cd847281b4e3913df0fc387a5ad7dc corporate/4.0/x86_64/lib64ldap2.3_0-devel-2.3.27-1.7.20060mlcs4.x86_64.rpm f5160774c2fbd38d4107189a9fd1f4af corporate/4.0/x86_64/lib64ldap2.3_0-static-devel-2.3.27-1.7.20060mlcs4.x86_64.rpm 648a9337b5d4d767af8c3935993d9510 corporate/4.0/x86_64/openldap-2.3.27-1.7.20060mlcs4.x86_64.rpm 6916f332fd61ffb342412ff707ba7cd2 corporate/4.0/x86_64/openldap-clients-2.3.27-1.7.20060mlcs4.x86_64.rpm 1d517b60530d07a512eba6d58828f201 corporate/4.0/x86_64/openldap-doc-2.3.27-1.7.20060mlcs4.x86_64.rpm f82c8eb89405e38b69527167ab5c6df0 corporate/4.0/x86_64/openldap-servers-2.3.27-1.7.20060mlcs4.x86_64.rpm 76b93fec2d6181b7990e0fd024db1a83 corporate/4.0/SRPMS/openldap-2.3.27-1.7.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 4fd998af6bd718e0fc457c428501fa4e mes5/i586/libldap2.4_2-2.4.11-3.3mdvmes5.1.i586.rpm 324ddd890ea4cc8cfc7c1b3f0c721cec mes5/i586/libldap2.4_2-devel-2.4.11-3.3mdvmes5.1.i586.rpm 22d01449812696eb9ab6564fa794752d mes5/i586/libldap2.4_2-static-devel-2.4.11-3.3mdvmes5.1.i586.rpm fd0caddd82573d99fecbe57fd850f40c mes5/i586/openldap-2.4.11-3.3mdvmes5.1.i586.rpm e089c0c4de14d82177b6ec9a7f1a5499 mes5/i586/openldap-clients-2.4.11-3.3mdvmes5.1.i586.rpm af27dd0a93bf0806263832f25dea30f2 mes5/i586/openldap-doc-2.4.11-3.3mdvmes5.1.i586.rpm fe133f20425e2f8fcfb573717b1bb187 mes5/i586/openldap-servers-2.4.11-3.3mdvmes5.1.i586.rpm bb314030b8753c5440cebdffb807979d mes5/i586/openldap-testprogs-2.4.11-3.3mdvmes5.1.i586.rpm 10d770ef4c137cdd7ccf0a209cab2014 mes5/i586/openldap-tests-2.4.11-3.3mdvmes5.1.i586.rpm ffffc1d801bb8631cbd93bb39b9cb3cf mes5/SRPMS/openldap-2.4.11-3.3mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: 4677f2c088c4377876fbad8d42b9e149 mes5/x86_64/lib64ldap2.4_2-2.4.11-3.3mdvmes5.1.x86_64.rpm 7fea8ea62e0af1d9c2577db737415d36 mes5/x86_64/lib64ldap2.4_2-devel-2.4.11-3.3mdvmes5.1.x86_64.rpm 159b1e576e018fd368a71de46824b2bb mes5/x86_64/lib64ldap2.4_2-static-devel-2.4.11-3.3mdvmes5.1.x86_64.rpm 9b7d324296c7b1e60dfc19944266baf0 mes5/x86_64/openldap-2.4.11-3.3mdvmes5.1.x86_64.rpm 9d3cd93949ef1fc4ed017753d23ab119 mes5/x86_64/openldap-clients-2.4.11-3.3mdvmes5.1.x86_64.rpm 16cdec6e19b3183016ab96a41656d89c mes5/x86_64/openldap-doc-2.4.11-3.3mdvmes5.1.x86_64.rpm 210b46799fb19c6a6cfffdfa2ea8d363 mes5/x86_64/openldap-servers-2.4.11-3.3mdvmes5.1.x86_64.rpm b76d1f8ee367b6f8801a61df446f38fc mes5/x86_64/openldap-testprogs-2.4.11-3.3mdvmes5.1.x86_64.rpm 87e2dbec1afd666e6bffc882b4d9388b mes5/x86_64/openldap-tests-2.4.11-3.3mdvmes5.1.x86_64.rpm ffffc1d801bb8631cbd93bb39b9cb3cf mes5/SRPMS/openldap-2.4.11-3.3mdvmes5.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMUE+TmqjQ0CJFipgRAvttAJ9BOwCLGqsr2OCPbPbC/n0gZJbKSACffJyG 6VPyNXWem3l2YSPIvVQ1kmQ= =IB5R -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/