Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1137 ldb security update 6 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ldb Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-20277 CVE-2020-27840 CVE-2020-10730 Reference: ESB-2021.1111 ESB-2020.3823 ESB-2020.2609 Original Bulletin: http://www.debian.org/security/2021/dsa-4884 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4884-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 02, 2021 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : ldb CVE ID : CVE-2020-10730 CVE-2020-27840 CVE-2021-20277 Debian Bug : 985935 985936 Multiple vulnerabilities have been discovered in ldb, a LDAP-like embedded database built on top of TDB. CVE-2020-10730 Andrew Bartlett discovered a NULL pointer dereference and use-after-free flaw when handling 'ASQ' and 'VLV' LDAP controls and combinations with the LDAP paged_results feature. CVE-2020-27840 Douglas Bagnall discovered a heap corruption flaw via crafted DN strings. CVE-2021-20277 Douglas Bagnall discovered an out-of-bounds read vulnerability in handling LDAP attributes that contains multiple consecutive leading spaces. For the stable distribution (buster), these problems have been fixed in version 2:1.5.1+really1.4.6-3+deb10u1. We recommend that you upgrade your ldb packages. For the detailed security status of ldb please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ldb Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmBmzXpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S5iw//fSn7boJeXX4F8N/K+vz9UQtDSYeCTX2TLv0fI9yTyOIoIAtkTAezgoVl P6bdIkVGSHa9SRMMfLYNEqBkBG5HgiGiOxgo0ypBynDXZTnPBa3pfmRDQ8Bcmb0e 33khq9DmE3eXaF8NuwJ+lT9H1jpni0AF4bMdwdPWIxypfHVvuW4C+1uFoz5OM17u 3Yq5nm0vUg0BDHn3OW8hPqnZEpEWdK9cOpxORnPTKG4Hn3mDVoBEdW0aCMAk+w7w aHFWZl2cC3+2LfmwjI+moUxo0KWe5PRmUp6R2GaA2XDJbwTKTSreJvHcT1ykgs9L rQbOMiP0hJsfUAi6R8zUvyiLLfm5JUrOlMDN7U8IpsjUb5GGkxDIZIO4CIf7Xr8a jV7ouK9MV8G440O+pyusiqUsUmwAFWYj01SdHh0uC+lw/TtqvuvW6+DmBaXll6Ef Ao+sh3E9LDbvGxgFqVD9/4ksRsUIbuLpdsyqoHoQWvYO1gzRTE1LrF94hs5ZATTe PAWF0/JJKbVPDs3FeGJWnYmgNNOz0daAStbY4TGFC1oznD/SJAj5PjPCiW2QvVwf trRZNT4rUe5VeyfFGFHoIReG70y1z1L3E/OSyVffN/4/+t36g3mxOFyghUuuIjN6 eJtE41TrTuwPXjl4pzpp7B7YIYExTg65lkxeFnN+2nMkYA8pbhE= =arHu - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYGvXjuNLKJtyKPYoAQhyFA//S5JcjLSlv+LIy/76yVXsIC9os4BIr+k4 BKwSp1O50pnAxmHfB/3BHZ4BolyGGpH1MxiApTDcPvi4j0GDokkpPSnBOn8MCt7p qBJeBlP4FJz1X+RgRxgW0+WPbk1FhWateGCIUql6ABYLTxXSbKXAIdeIEJRjk1k6 B3l9i/2vIdyWYkSuOqWZcrmmH5CKPjUtax63tC6PNjw5xsWOiikPe3A8cplqmOao EtzI4iHQP61YjYr05QuXk9PdONqHuwYKRAixf4bNdchZkYv+Tka//r5F/FY/8ac8 RpQkScGajo56AwTyDKrpzm9+bFkVjzIEYKZrL+fOh00DbOC4/dFQgLhWYYK0FOi4 u8v7uBb6U0s0fMhvSFqqkM+u2zvmmPVPF7Gz8Y5VB85rTK6W+tg79by1WZx5SmYn oiKcliGuKx07OuT8Tl1YHheua5aHGtMtHKvrB852QRcCDvrQSlSA/X1wD65N32/B 9gvRGI8WM9uSGCySSXRwfBYG7b0dxcVgX0dznSl1ZdNggFMq37Om0T5tECNBOrQL zjiH+w4wxP6ZI/NKlbLmu7MDcrHENNidSATWcg/a8RsJFyw1u4/DH7vJozFOcobi +CONmbTDZZptYzri7XMB1XrLrfqu9Cg8PvzFbwKnX8sQIx+cdMONIPADUFZc/1vu ++dke3/jqUs= =CWqi -----END PGP SIGNATURE-----