Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.2492 openldap security update 20 May 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openldap Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-29155 Original Bulletin: https://lists.debian.org/debian-security-announce/2022/msg00108.html Comment: CVSS (Max): 9.8 CVE-2022-29155 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-5140-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 19, 2022 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : openldap CVE ID : CVE-2022-29155 Jacek Konieczny discovered a SQL injection vulnerability in the back-sql backend to slapd in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol, allowing an attacker to alter the database during an LDAP search operations when a specially crafted search filter is processed. For the oldstable distribution (buster), this problem has been fixed in version 2.4.47+dfsg-3+deb10u7. For the stable distribution (bullseye), this problem has been fixed in version 2.4.57+dfsg-3+deb11u1. We recommend that you upgrade your openldap packages. For the detailed security status of openldap please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openldap Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmKGog5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0R03Q//TDC5ZCoSjIFiAhWdDUZudPRo8O8Pec3Z1fJ90MHkqFV7UiVSbjkoJhHi 0MMNgD6kiDvCM5NE7Opv7uxGviNJCJmvzwdw11X4m+HVbt5phfooeM4rr4MAV8FM t7OfUinVTb1kry3j1660SiV1J5wI2WXXta8yj8zDIYnpWD0k/ievXgFjN+jfLSbu GO7E4k2bmHmyi4P/C9BExkzMINa7y4DbfQzTTbBFycEKE6FQeTxJhI4U1uUf27/y iy5vB17E5R4PCmaX3+YGjvb/TceSX6q/Bs49hh3ktL8K6o3csBsglgR8uHygBqxQ JggTEKO+L/zP5Av9nZRmp0krTlKf52uGlCD9hS/vp4YOlDTnLgXkMivPoYSZms0L dEIhFgwd4+iKZD5JgUYqcv9ZHA51+9XT8shCjgWLRYzPQbgBs0zl5iGYa36RvYwR 7tS0STd4GJpcBPrry3ppqsp0E+7WplAY9H8RHUgl3r+rGXygpW0QsYycT39MPFDD IH5G5nmhOxoHD25nnW36+Fl7V2An76Jc/br1hpc0TV9hQkmpDbZJdjBJLINS12FP J/WSWIeywDmJHYHrU/PNWBPh9OqSJyxrrX7kfxdXWDFZy4o2Db+A48m7X8f3rlrv rFUMS3KcBrQqvx3nq2gj5CpPCAz000d0/GnECLckeIeYTL8OqhY= =PNiK - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYocG6skNZI30y1K9AQjMKw//aSA0ZqD2X4sWAO8zrg+HPlWf8tmrU4oZ 05dHFZ2OTXSloDNaZi0kPaqpXgaYG8Zp3kYgOt8sq5WzkV1O1bW1A+6WOYOcXiKw 4nfHdZ92BsI8Gr+ssJLA20ZfR+iHZBiKg2zqmC6DKxRTNz/Bhe4Z9hbT/eSIKh/S bTgYSKGCjm5W7MFX2Vu0xnJ8XrOIRi6pB6QEMRm434tK0yacBJM4ql1me824sviO kY3zMab247mEcOm8CniSKfz5YoujW1GcBntoUWSSC/eCRC+nGchQ/jAxXKebO77a Oz6ZNxU/qFnl85MX65c/LS+DLZH7skBftb56K+Wh3tEiAGabIMnttYOXmVivdlmv KFgfKN/FMrIbJqTvm40OVBdtMY8F9kXc4znkZhPRg7Ike5e6B6QIIGF2sB0Ug/QQ tOf0EjBSI5+XJcP7EnJpprHOV4AMlGJaR8G/vbYow5PhHQCLfzCk7pQfvVLd1Dfs jlKX7AoyY4IeQ6dI6WkJjFPQNDGL6MsDEgRkCdjjCWJww9+pq8clWAcU1sxa+IDJ jYM6ax8hrMvGJKF/ppVDNEw91fT/HIbvekW0WgoPem2Ys0wkluezl9O2TTTFknQW SVPOYUzdxNgNKnhMKV7oZZZk+0z5n+yHoTPJsFm5CfCEseP/q95x5yUVpeEdcHba 349ckFVRDBw= =JIWQ -----END PGP SIGNATURE-----