Date: 16 July 2007
References: ESB-2007.0274
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2007.0058 AUSCERT Advisory
[Win][Netware][UNIX/Linux]
Novell eDirectory 8.7.3 SP9 FTF1 release fixes several vulnerabilities
16 July 2007
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: Novell eDirectory 8.7.3 SP9
Operating System: Linux variants
Windows
Netware
Solaris
AIX
HP-UX
Impact: Reduced Security
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2006-4520
Member content until: Monday, August 13 2007
Ref: ESB-2007.0274
OVERVIEW:
Novell eDirectory 8.7.3 SP9 Field Test File 1 has been released fixing
several vulnerabilities:
- The DNS code of eDirectory has an unspecified vulnerability. [1]
- A double free vulnerability exists when querying a dynamic group
via LDAP. [1]
- The NCP fragment denial of service vulnerability reported previously
in AusCERT ESB-2007.0274 is also fixed in this FTF release. [3]
IMPACT:
Novell has not yet disclosed the impact of the first two vulnerabilities.
In many cases double free memory corruption vulnerabilities are exploitable
to execute arbitrary code.
MITIGATION:
The latest patch set for eDirectory 8.7.3 SP9 is Field Test File 2.
This includes fixes for these vulnerabilities. [1][2]
REFERENCES:
[1] eDirectory 8.7.3 SP9 FTF2 for Linux & Unix
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5004621.html
[2] eDirectory 8.7.3 SP9 FTF2 for NW & Win32
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5004620.html
[3] AusCERT ESB-2007.0274
http://www.auscert.org.au/7527
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRpsRQyh9+71yA2DNAQI7VQP/cV5qO1A3dDui5+8m2Cqa9T4NhWqstEMN
L44Y2IGhhD0a9MbKLlv87zISG3B7BqAO9OhwU7sCvPeT2faQWs4d+9z+r9Ss1W/t
h9BKk0MkODKdi3jz7OaS35ZTmSYZ5Uu/+zSWUdhPvM1cLown18i4351of9aZC6vL
UqI17wXFGi8=
=L9bZ
-----END PGP SIGNATURE-----
|