Date: Mon, 12 Mar 2012 18:36:17 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security@...ts.openwall.com Subject: CVE Request -- openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry Hello Kurt, Steve, vendors, a denial of service flaw was found in the way the slapd server of the OpenLDAP, the Lightweight Directory Access Protocol applications and development suite, processed certain search queries requesting only attributes (no values) for a particular entry. A remote attacker could issue a specially-crafted LDAP search query, which once processed by a vulnerable slapd server would lead to assertion failure (slapd abort). Upstream bug report:  http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7143 Original upstream patch:  http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae Further patches:  http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38  http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 References:  http://www.openldap.org/software/release/changes.html  https://bugs.gentoo.org/show_bug.cgi?id=407941  https://secunia.com/advisories/48372/  https://bugzilla.redhat.com/show_bug.cgi?id=802514 Could you allocate a CVE identifier for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ