-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:056 http://www.mandriva.com/security/ _______________________________________________________________________ Package : openldap Date : March 30, 2011 Affected: 2010.0, 2010.1 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been identified and fixed in openldap: chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24, when a master-slave configuration with a chain overlay and ppolicy_forward_updates (aka authentication-failure forwarding) is used, allows remote authenticated users to bypass external-program authentication by sending an invalid password to a slave server (CVE-2011-1024). bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require authentication for the root Distinguished Name (DN), which allows remote attackers to bypass intended access restrictions via an arbitrary password (CVE-2011-1025). modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to cause a denial of service (daemon crash) via a relative Distinguished Name (DN) modification request (aka MODRDN operation) that contains an empty value for the OldDN field (CVE-2011-1081). The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1024 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1025 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1081 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.0: a5aa1bbb1e057c06c7a579926d166c96 2010.0/i586/libldap2.4_2-2.4.19-2.2mdv2010.0.i586.rpm 7b70f9724e632ac01ae9950ba403ee6e 2010.0/i586/libldap2.4_2-devel-2.4.19-2.2mdv2010.0.i586.rpm 414f0727313a619313742ad711204f5e 2010.0/i586/libldap2.4_2-static-devel-2.4.19-2.2mdv2010.0.i586.rpm 2706caae262f70ee3c508a7659b2046d 2010.0/i586/openldap-2.4.19-2.2mdv2010.0.i586.rpm c3e50220a700e493e25248b561e4b8e4 2010.0/i586/openldap-clients-2.4.19-2.2mdv2010.0.i586.rpm 69022a5387c098694997e349877edcf2 2010.0/i586/openldap-doc-2.4.19-2.2mdv2010.0.i586.rpm b7242509b552632e63a5dbff88f5c695 2010.0/i586/openldap-servers-2.4.19-2.2mdv2010.0.i586.rpm ecfc24a4b48b71142bfcb56618068938 2010.0/i586/openldap-testprogs-2.4.19-2.2mdv2010.0.i586.rpm 2ed3d32741f610ac8dfac3af4ae0aa9f 2010.0/i586/openldap-tests-2.4.19-2.2mdv2010.0.i586.rpm a24ee1aeff19f2532440793bc059c147 2010.0/SRPMS/openldap-2.4.19-2.2mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: e649fef25faedd26a2ce13893564bc78 2010.0/x86_64/lib64ldap2.4_2-2.4.19-2.2mdv2010.0.x86_64.rpm f41262d928682f552de272d5ca37e74a 2010.0/x86_64/lib64ldap2.4_2-devel-2.4.19-2.2mdv2010.0.x86_64.rpm defba9c212decee74be8e59910624cdf 2010.0/x86_64/lib64ldap2.4_2-static-devel-2.4.19-2.2mdv2010.0.x86_64.rpm 894f8526475ac4285740e09ddd47d114 2010.0/x86_64/openldap-2.4.19-2.2mdv2010.0.x86_64.rpm a3058348fb23cd8675a6c8ff7ee3a71e 2010.0/x86_64/openldap-clients-2.4.19-2.2mdv2010.0.x86_64.rpm 1dc37b6747bce657406d34d53356ef58 2010.0/x86_64/openldap-doc-2.4.19-2.2mdv2010.0.x86_64.rpm 67272438e2f318498b59035305832f22 2010.0/x86_64/openldap-servers-2.4.19-2.2mdv2010.0.x86_64.rpm ee723e923d9fc1e9d8d4c4031746ed42 2010.0/x86_64/openldap-testprogs-2.4.19-2.2mdv2010.0.x86_64.rpm 69102731a88f0f56b5555a57c2884e50 2010.0/x86_64/openldap-tests-2.4.19-2.2mdv2010.0.x86_64.rpm a24ee1aeff19f2532440793bc059c147 2010.0/SRPMS/openldap-2.4.19-2.2mdv2010.0.src.rpm Mandriva Linux 2010.1: e4d21c1d7b63e87b15b98feff9545dbe 2010.1/i586/libldap2.4_2-2.4.22-2.2mdv2010.2.i586.rpm a78754a11d32fbec86c001d5115aa462 2010.1/i586/libldap2.4_2-devel-2.4.22-2.2mdv2010.2.i586.rpm c04365b9aec2b669eae606e83445ec57 2010.1/i586/libldap2.4_2-static-devel-2.4.22-2.2mdv2010.2.i586.rpm c5c4ef75c70ad30c431967a40c9b44bd 2010.1/i586/openldap-2.4.22-2.2mdv2010.2.i586.rpm fe450ae5ad6aed49ef166a98e57fca89 2010.1/i586/openldap-clients-2.4.22-2.2mdv2010.2.i586.rpm 4b5f3f22273324c8738149aaab18ff4e 2010.1/i586/openldap-doc-2.4.22-2.2mdv2010.2.i586.rpm 02351f80d3194c01b7502f89093a6bd1 2010.1/i586/openldap-servers-2.4.22-2.2mdv2010.2.i586.rpm bae40a5c9bad9c4676c5a182048bf1b4 2010.1/i586/openldap-testprogs-2.4.22-2.2mdv2010.2.i586.rpm a29483138d46b3bf5b0cf95725a11838 2010.1/i586/openldap-tests-2.4.22-2.2mdv2010.2.i586.rpm ce7b1b69d9c6697e20cef30134912601 2010.1/SRPMS/openldap-2.4.22-2.2mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: afc9a2923eff6a9323f7880f47a286ab 2010.1/x86_64/lib64ldap2.4_2-2.4.22-2.2mdv2010.2.x86_64.rpm b3474f085ea699e469b6052fb9ea8ef9 2010.1/x86_64/lib64ldap2.4_2-devel-2.4.22-2.2mdv2010.2.x86_64.rpm f5c33620b65d7cd30458cf8ec2363551 2010.1/x86_64/lib64ldap2.4_2-static-devel-2.4.22-2.2mdv2010.2.x86_64.rpm 2517dd44ea0ce60d9237a9694e8b61c8 2010.1/x86_64/openldap-2.4.22-2.2mdv2010.2.x86_64.rpm 6020389abdadb62959576b86a815db43 2010.1/x86_64/openldap-clients-2.4.22-2.2mdv2010.2.x86_64.rpm 60b042d6af3241c3077fb075802fac7b 2010.1/x86_64/openldap-doc-2.4.22-2.2mdv2010.2.x86_64.rpm de6b6c2352843510af1b8cc2c34f5f10 2010.1/x86_64/openldap-servers-2.4.22-2.2mdv2010.2.x86_64.rpm 03e5c6edcbaab7f5ce6d986e072dcf3a 2010.1/x86_64/openldap-testprogs-2.4.22-2.2mdv2010.2.x86_64.rpm 8335e92188ee9c9dae2424d28139d8e6 2010.1/x86_64/openldap-tests-2.4.22-2.2mdv2010.2.x86_64.rpm ce7b1b69d9c6697e20cef30134912601 2010.1/SRPMS/openldap-2.4.22-2.2mdv2010.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNkwhAmqjQ0CJFipgRAuaeAKDgmDQCP1tOmkos1k1ak9r2oQLNCQCfcpue raOCruPPotX5/UgHpWvB04s= =P5a+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/