oss-sec mailing list archives

Re: openldap DoS

From: Nico Golde <oss-security+ml () ngolde de>
Date: Sun, 13 Jul 2008 13:32:07 +0200

Hi Steven,
* Steven M. Christey <coley () linus mitre org> [2008-07-01 23:14]:

======================================================
Name: CVE-2008-2952
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2952
Reference: CONFIRM:http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580

liblber/io.c in OpenLDAP 2.3.41, 2.3.42, and possibly other versions
allows remote attackers to cause a denial of service (program
termination) via crafted ASN.1 BER datagrams, which triggers an
assertion error.


All versions from 2.2.4 to 2.4.10 are vulnerable referring 
to upstream, can you update the description to reflect this?
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description:

Current thread:

Re: openldap DoS Josh Bressers (Jul 01)
- <Possible follow-ups>
- Re: openldap DoS Steven M. Christey (Jul 01)
  - Re: openldap DoS Nico Golde (Jul 13)
- Re: openldap DoS Ludwig Nussel (Jul 01)