Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 27 Mar 2013 09:05:50 -0600
From: Vincent Danen <>
Subject: Denial of service in 389-ds and FreeIPA (CVE-2013-0336)

As this was reported to the distros list on the 23rd of this month, I'm
sharing the details here now as it is public.

Sumit Bose discovered that FreeIPA's directory server (dirsrv) would
segfault if an unauthenicated user attempted to connect to it with a
missing username/dn.  According to RFC 3062, connecting without
specifying the username/dn is valid.

This issue only affects FreeIPA 3.1 and 389-ds 1.3.x; earlier versions
do not have the vulnerable code.


Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.