Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.2492
openldap security update
20 May 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openldap
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2022-29155
Original Bulletin:
https://lists.debian.org/debian-security-announce/2022/msg00108.html
Comment: CVSS (Max): 9.8 CVE-2022-29155 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-5140-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 19, 2022 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : openldap
CVE ID : CVE-2022-29155
Jacek Konieczny discovered a SQL injection vulnerability in the back-sql
backend to slapd in OpenLDAP, a free implementation of the Lightweight
Directory Access Protocol, allowing an attacker to alter the database
during an LDAP search operations when a specially crafted search filter
is processed.
For the oldstable distribution (buster), this problem has been fixed
in version 2.4.47+dfsg-3+deb10u7.
For the stable distribution (bullseye), this problem has been fixed in
version 2.4.57+dfsg-3+deb11u1.
We recommend that you upgrade your openldap packages.
For the detailed security status of openldap please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/openldap
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmKGog5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0R03Q//TDC5ZCoSjIFiAhWdDUZudPRo8O8Pec3Z1fJ90MHkqFV7UiVSbjkoJhHi
0MMNgD6kiDvCM5NE7Opv7uxGviNJCJmvzwdw11X4m+HVbt5phfooeM4rr4MAV8FM
t7OfUinVTb1kry3j1660SiV1J5wI2WXXta8yj8zDIYnpWD0k/ievXgFjN+jfLSbu
GO7E4k2bmHmyi4P/C9BExkzMINa7y4DbfQzTTbBFycEKE6FQeTxJhI4U1uUf27/y
iy5vB17E5R4PCmaX3+YGjvb/TceSX6q/Bs49hh3ktL8K6o3csBsglgR8uHygBqxQ
JggTEKO+L/zP5Av9nZRmp0krTlKf52uGlCD9hS/vp4YOlDTnLgXkMivPoYSZms0L
dEIhFgwd4+iKZD5JgUYqcv9ZHA51+9XT8shCjgWLRYzPQbgBs0zl5iGYa36RvYwR
7tS0STd4GJpcBPrry3ppqsp0E+7WplAY9H8RHUgl3r+rGXygpW0QsYycT39MPFDD
IH5G5nmhOxoHD25nnW36+Fl7V2An76Jc/br1hpc0TV9hQkmpDbZJdjBJLINS12FP
J/WSWIeywDmJHYHrU/PNWBPh9OqSJyxrrX7kfxdXWDFZy4o2Db+A48m7X8f3rlrv
rFUMS3KcBrQqvx3nq2gj5CpPCAz000d0/GnECLckeIeYTL8OqhY=
=PNiK
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYocG6skNZI30y1K9AQjMKw//aSA0ZqD2X4sWAO8zrg+HPlWf8tmrU4oZ
05dHFZ2OTXSloDNaZi0kPaqpXgaYG8Zp3kYgOt8sq5WzkV1O1bW1A+6WOYOcXiKw
4nfHdZ92BsI8Gr+ssJLA20ZfR+iHZBiKg2zqmC6DKxRTNz/Bhe4Z9hbT/eSIKh/S
bTgYSKGCjm5W7MFX2Vu0xnJ8XrOIRi6pB6QEMRm434tK0yacBJM4ql1me824sviO
kY3zMab247mEcOm8CniSKfz5YoujW1GcBntoUWSSC/eCRC+nGchQ/jAxXKebO77a
Oz6ZNxU/qFnl85MX65c/LS+DLZH7skBftb56K+Wh3tEiAGabIMnttYOXmVivdlmv
KFgfKN/FMrIbJqTvm40OVBdtMY8F9kXc4znkZhPRg7Ike5e6B6QIIGF2sB0Ug/QQ
tOf0EjBSI5+XJcP7EnJpprHOV4AMlGJaR8G/vbYow5PhHQCLfzCk7pQfvVLd1Dfs
jlKX7AoyY4IeQ6dI6WkJjFPQNDGL6MsDEgRkCdjjCWJww9+pq8clWAcU1sxa+IDJ
jYM6ax8hrMvGJKF/ppVDNEw91fT/HIbvekW0WgoPem2Ys0wkluezl9O2TTTFknQW
SVPOYUzdxNgNKnhMKV7oZZZk+0z5n+yHoTPJsFm5CfCEseP/q95x5yUVpeEdcHba
349ckFVRDBw=
=JIWQ
-----END PGP SIGNATURE-----