full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [USN-634-1] OpenLDAP vulnerability

[USN-634-1] OpenLDAP vulnerability

From: Kees Cook <kees_at_nospam>
Date: Fri Aug 01 2008 - 15:27:01 GMT
To: ubuntu-security-announce@lists.ubuntu.com



Ubuntu Security Notice USN-634-1 August 01, 2008 openldap2.2, openldap2.3 vulnerability
CVE-2008-2952

A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 6.06 LTS: slapd 2.2.26-5ubuntu2.8 Ubuntu 7.04: slapd 2.3.30-2ubuntu0.3 Ubuntu 7.10: slapd 2.3.35-1ubuntu0.3 Ubuntu 8.04 LTS: slapd 2.4.9-0ubuntu0.8.04.1

In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Cameron Hotchkies discovered that OpenLDAP did not correctly handle certain ASN.1 BER data. A remote attacker could send a specially crafted packet and crash slapd, leading to a denial of service.

Updated packages for Ubuntu 6.06 LTS:

  Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.8.diff.gz Size/MD5: 514393 4f9e265da3b3862538e819f77e2e3586 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.8.dsc Size/MD5: 1058 b22c78f0d48cc36e948b54e3af20edfd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz Size/MD5: 2626629 afc8700b5738da863b30208e1d3e9de8

  amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_amd64.deb Size/MD5: 130764 97be6915cd08b18f1cebd0278fdb6cbd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_amd64.deb Size/MD5: 166234 f033393ec3c64058c9a330f3ff8f3ffd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_amd64.deb Size/MD5: 961898 d2a6a9b40ae45ee16f07081caf554e1f

  i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_i386.deb Size/MD5: 118560 6e725d3528b0fbf7603ffaca188fd058 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_i386.deb Size/MD5: 146330 c385cbad49d21de849f6deb69a3f24df http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_i386.deb Size/MD5: 873280 e2c56f6d1a5a372b90c416d4270a9136

  powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_powerpc.deb Size/MD5: 132924 3f6561c503b4aba5bdd7380ca16a9233 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_powerpc.deb Size/MD5: 157382 6b375c5e1da604ff063770a1bacdf9ae http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_powerpc.deb Size/MD5: 959922 18f40de968f784c06595986dc90ac2ba

  sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_sparc.deb Size/MD5: 120868 e36bb816e65f673852040cbdc9e99fb8 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_sparc.deb Size/MD5: 148406 5ee83d9e8ab2b6a7e43d4486ef4495fd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_sparc.deb Size/MD5: 903834 7fd3a71e6dfdfd629d15f1484eface61

Updated packages for Ubuntu 7.04:

  Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.3.diff.gz Size/MD5: 139053 aaea5b917bae9e40a49389eb18ee6b0b http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.3.dsc Size/MD5: 1333 4bf113a4b679696671b740e0602c0d0c http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz Size/MD5: 2971126 c40bcc23fa65908b8d7a86a4a6061251

  amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_amd64.deb Size/MD5: 187762 3daa694023d35e8d1d5906531f77184e http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_amd64.deb Size/MD5: 292432 5e91f231274471465056dab7ac915579 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_amd64.deb Size/MD5: 1228150 2f5c3cff26ded73113db5c3ae9da2c81

  i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_i386.deb Size/MD5: 156182 d70e186bfda981a71eee3c23b97c92c8 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_i386.deb Size/MD5: 267618 9d188f962935c72538564fe57dded98f http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_i386.deb Size/MD5: 1154914 83d7c5c110c5341d3d611dc9fad7cd47

  powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_powerpc.deb Size/MD5: 203784 f2bc7da688b35227c7f3f8fa171fc504 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_powerpc.deb Size/MD5: 294528 e22c51734656e016714aa23ac0822257 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_powerpc.deb Size/MD5: 1280558 b6ada4c71ffb98a27638af78f2aa945f

  sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_sparc.deb Size/MD5: 164516 441e58de64bed972d60fbba28e855d7b http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_sparc.deb Size/MD5: 264402 1f166e5072bfcf4059caf05e783e5fb4 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_sparc.deb Size/MD5: 1170022 c140469dc080ee8278d3ecdc235831d6

Updated packages for Ubuntu 7.10:

  Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.3.diff.gz Size/MD5: 151991 51ff8eebcede1f6fad3e31a2614e79d5 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35-1ubuntu0.3.dsc Size/MD5: 1343 9b21ec600b40a024bb1f7de69a9e95fb http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.35.orig.tar.gz Size/MD5: 2947629 5096146b7a7eb6ce3b0a97549347b5be

  amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_amd64.deb Size/MD5: 190088 5325d5369407eb873c98ee7f41615fde http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_amd64.deb Size/MD5: 347238 74514bf63a843d67b3d0910e75709490 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_amd64.deb Size/MD5: 1296502 6a572fccaab720d0e48c047e622dbb54

  i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_i386.deb Size/MD5: 155520 59776c8fa4c5860f7f6156d8b4914c5f http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_i386.deb Size/MD5: 314742 28a30e5baa754d2ae38af9b4ffbce9de http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_i386.deb Size/MD5: 1216458 2c90d198d1d43e88d7588abe53293c71

  lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_lpia.deb Size/MD5: 154744 8ad5d3c9c3560d8fea8fae38d8d75767 http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_lpia.deb Size/MD5: 307278 18d45b49ce6400456015193e6cf600fb http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_lpia.deb Size/MD5: 1211812 783b0db2a54143566988d54cf1a4dcbe

  powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_powerpc.deb Size/MD5: 205302 c623bf368b4109c62e90e373b9afe23f http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_powerpc.deb Size/MD5: 345962 f8c94186487abe14abd758cb55fec8b1 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_powerpc.deb Size/MD5: 1345648 cd8ea44a87c657b0ee27e182ff60fba2

  sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.35-1ubuntu0.3_sparc.deb Size/MD5: 166528 8bece260d735957a9aae4974419a8e46 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.35-1ubuntu0.3_sparc.deb Size/MD5: 306968 e7cdab9c3df1f7356132f47715e922ed http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.35-1ubuntu0.3_sparc.deb Size/MD5: 1229088 f513afe9b2301f2d6832b1ab1c890581

Updated packages for Ubuntu 8.04 LTS:

  Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9-0ubuntu0.8.04.1.diff.gz Size/MD5: 144671 58f945638d8a393778cb4df222717edb http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9-0ubuntu0.8.04.1.dsc Size/MD5: 1547 c6a52c38b25a2f9d5c601c16f178a049 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9.orig.tar.gz Size/MD5: 3694611 3c0b5ae3d45f5675e67aaf81ce7decc9

  amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 266934 6e5418f9691e9d706dca198030a16cbe http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 292184 86aa494fc2b80820183d32b044d16b5f http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 197958 090e06973eba26a1cff8e60a7f42a16c http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 868394 a5d7acae075d2c0826e0413272d018ad http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 3614964 3c49f3a956ad5db0ccf792d9b8d36dd1 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_amd64.deb Size/MD5: 1448036 808090c707d68dc9d9901a1c980b3f21

  i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 245424 9219d82631dbe22fa6145206cbe85a98 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 282694 39a3b506f3ee6d8c097dd7d56dcadec3 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 182138 cfc345ff59b93219e75ab3eb90b959e7 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 777646 4ce598932a7b6e36fee72664d31b77d3 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 3533272 002c831a1311521e015324200bb25c88 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_i386.deb Size/MD5: 1354600 ebfd92f0ebc07663e5bdad585efe8259

  lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 246620 c573b1d987fd0b0f1d6e78b3fdd55e2d http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 285252 21e10a90681897f42e73c2d75891a829 http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 177840 beaddaca16ab416eb8b7213c8f7f21db http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 779066 8ad40229d8403ab67b89fffa5a5838d4 http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 3565372 471469186a53293b1ca37ae98214182d http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_lpia.deb Size/MD5: 1348534 7db3b6e67624f788898871bcdf4748ed

  powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 286564 9fdfd981184b736acf1ce3f23546fa8d http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 288262 2b41a700b9c68003a64552d5878db89e http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 192710 6f49c29d5c5a0d9057bceb5e3ae56096 http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 897520 ec87b7bb590ea7960f11d40820c10c4e http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 3670418 eba5c8dae9d82d03e92dbc84580f06a2 http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_powerpc.deb Size/MD5: 1494264 8f0cf97e665d58b769f83d542c56acf4

  sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/o/openldap2.3/ldap-utils_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 248502 d4fbd44307a9920c36d2a6f9df7c1bcf http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2-dbg_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 259242 a6743c6dd9c4409a13081c5ee035ddfd http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap-2.4-2_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 178744 c92678408505baa4a7746140905a66b7 http://ports.ubuntu.com/pool/main/o/openldap2.3/libldap2-dev_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 767462 b9432320d29b5c5d1eb6b1e7541561c8 http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd-dbg_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 3484818 ff70b240ab888a27628e3b3c3812e335 http://ports.ubuntu.com/pool/main/o/openldap2.3/slapd_2.4.9-0ubuntu0.8.04.1_sparc.deb Size/MD5: 1349498 66253c6ffd2cb831c24b9713c3edcc87

-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce