oss-sec mailing list archives
Re: CVE Request -- OpenLDAP -- two issues
From: Thomas Biege <thomas () suse de>
Date: Mon, 28 Feb 2011 14:16:06 +0100
The following might also need a CVE-ID. https://bugzilla.novell.com/show_bug.cgi?id=674985#c1 ------------------------------------------------------------------------------ http://www.openldap.org/its/index.cgi/Software Bugs?id=6768 That's a pretty bad DOS. Everybody (even unauthenticated users) can kill the server by submitting a MODRDN request with an empty "olddn" value and "remove old RDN" set (-r). Example: ldapmodrdn -x -H ldap://ldapserver -r '' o=test ------------------------------------------------------------------------------ Am Freitag 25 Februar 2011 17:18:08 schrieb Josh Bressers:
----- Original Message -----Hello Josh, Steve, vendors, looks like the following two issues did not get a CVE identifiers yet: [1] http://secunia.com/advisories/43331/The above advisory covers both bugs below.[2] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607CVE-2011-1024 openldap forwarded bind failure messages cause success[3] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6661CVE-2011-1025 openldap rootpw is not verified with slapd.conf Thanks.
-- Thomas Biege <thomas () suse de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach
Current thread:
- CVE Request -- OpenLDAP -- two issues Jan Lieskovsky (Feb 24)
- Re: CVE Request -- OpenLDAP -- two issues Josh Bressers (Feb 25)
- Re: CVE Request -- OpenLDAP -- two issues Thomas Biege (Feb 28)
- Re: CVE Request -- OpenLDAP -- two issues Vincent Danen (Feb 28)
- Re: CVE Request -- OpenLDAP -- two issues Ralf Haferkamp (Mar 01)
- Re: CVE Request -- OpenLDAP -- two issues Vincent Danen (Mar 01)
- Re: CVE Request -- OpenLDAP -- two issues Thomas Biege (Feb 28)
- Re: CVE Request -- OpenLDAP -- two issues Josh Bressers (Mar 01)
- Re: CVE Request -- OpenLDAP -- two issues Josh Bressers (Feb 25)