oss-sec mailing list archives
Re: openldap DoS
From: Josh Bressers <bressers () redhat com>
Date: Tue, 01 Jul 2008 11:05:37 -0400
On 30 June 2008, Josh Bressers wrote:
On 30 June 2008, Ludwig Nussel wrote:Hi, Remote unauthenticated attackers can trigger an assertion in the ASN.1 BER decoding of openlap and crash the server: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580The patch is here it seems: http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=1.120&r2=1.121&hideattic=1&sortbydate=0
So It seems from my testing, this flaw does not trigger the assertion on OpenLDAP version 2.0.27, but does on at least 2.2.13. As upstream suggested this was added in version 1.88 of the io.c file, that would suggest this flaw should affect OpenLDAP versions after 2.1.20 (don't quote me on this, as I'm not completely sure, it could affect a few older versions around 2.1.20). Thanks. -- JB
Current thread:
- Re: openldap DoS Josh Bressers (Jul 01)
- <Possible follow-ups>
- Re: openldap DoS Steven M. Christey (Jul 01)
- Re: openldap DoS Nico Golde (Jul 13)
- Re: openldap DoS Ludwig Nussel (Jul 01)