oss-sec mailing list archives
Denial of service in 389-ds and FreeIPA (CVE-2013-0336)
From: Vincent Danen <vdanen () redhat com>
Date: Wed, 27 Mar 2013 09:05:50 -0600
As this was reported to the distros list on the 23rd of this month, I'm sharing the details here now as it is public. Sumit Bose discovered that FreeIPA's directory server (dirsrv) would segfault if an unauthenicated user attempted to connect to it with a missing username/dn. According to RFC 3062, connecting without specifying the username/dn is valid. This issue only affects FreeIPA 3.1 and 389-ds 1.3.x; earlier versions do not have the vulnerable code. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=913751 --Vincent Danen / Red Hat Security Response Team
Current thread:
- Denial of service in 389-ds and FreeIPA (CVE-2013-0336) Vincent Danen (Mar 27)