copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2007.0930 -- [RedHat] -- Moderate: openldap security and enhancement update

Date: 16 November 2007
References: AA-2007.0093  ESB-2007.0892  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                         ESB-2007.0930 -- [RedHat]
            Moderate: openldap security and enhancement update
                             16 November 2007

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              openldap
Publisher:            Red Hat
Operating System:     Red Hat Linux 4
Impact:               Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-5707

Ref:                  AA-2007.0093
                      ESB-2007.0892

Original Bulletin:    https://rhn.redhat.com/errata/RHSA-2007-1038.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Moderate: openldap security and enhancement update
Advisory ID:       RHSA-2007:1038-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-1038.html
Issue date:        2007-11-15
Updated on:        2007-11-15
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2007-5707 
- - ---------------------------------------------------------------------

1. Summary:

Updated openldap packages that fix a security flaw are now available for
Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools.

A flaw was found in the way OpenLDAP's slapd daemon handled malformed
objectClasses LDAP attributes.  An authenticated local or remote attacker
could create an LDAP request which could cause a denial of service by
crashing slapd. (CVE-2007-5707)

In addition, the following feature was added:
* OpenLDAP client tools now have new option to configure their bind timeout.

All users are advised to upgrade to these updated openldap packages, which
contain a backported patch to correct this issue and provide this security
enhancement.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  

This update is available via Red Hat Network.  Details on how to use 
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

359851 - CVE-2007-5707 openldap slapd DoS via objectClasses attribute

6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/openldap-2.2.13-8.el4_6.1.src.rpm
d83f67fe727e11d6cf1160b024b1f9a2  openldap-2.2.13-8.el4_6.1.src.rpm

i386:
b2c433fe08be943cb34d7ae75d29f022  compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6ddb8c954ba2f85aa11850541d09f2f1  openldap-2.2.13-8.el4_6.1.i386.rpm
219c613cf348abaaebc4c4f9f018ed9d  openldap-clients-2.2.13-8.el4_6.1.i386.rpm
3a5d6b07337958bdfdf7528abcd0ffb2  openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
7f40d96252d441fe7614a9beef25e0af  openldap-devel-2.2.13-8.el4_6.1.i386.rpm
4c19ad7c8b3adc537463852e1eba0233  openldap-servers-2.2.13-8.el4_6.1.i386.rpm
66e950a723214043bbe5b214b6bae217  openldap-servers-sql-2.2.13-8.el4_6.1.i386.rpm

ia64:
b2c433fe08be943cb34d7ae75d29f022  compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6b8aaa38dfbca517ebc8c2eeab072225  compat-openldap-2.1.30-8.el4_6.1.ia64.rpm
6ddb8c954ba2f85aa11850541d09f2f1  openldap-2.2.13-8.el4_6.1.i386.rpm
e48a6a25b291ebe73a1e500a51d5752c  openldap-2.2.13-8.el4_6.1.ia64.rpm
42ab2e4a1af25c108f86b231af51321d  openldap-clients-2.2.13-8.el4_6.1.ia64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2  openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
f016210f44503358b516cca1e9602042  openldap-debuginfo-2.2.13-8.el4_6.1.ia64.rpm
ebdf2edb9e264227f5877905afef97ee  openldap-devel-2.2.13-8.el4_6.1.ia64.rpm
817e4e1f9963c90506ec40817cb9a311  openldap-servers-2.2.13-8.el4_6.1.ia64.rpm
3a85b2d97f872c32929a36379b09ac65  openldap-servers-sql-2.2.13-8.el4_6.1.ia64.rpm

ppc:
15008c36556193ddd7107d59f319f706  compat-openldap-2.1.30-8.el4_6.1.ppc.rpm
0934b07a1e5daef1715a5905fb3298ff  compat-openldap-2.1.30-8.el4_6.1.ppc64.rpm
8ea26adb6a6c9c8d993f69d06e0c13b8  openldap-2.2.13-8.el4_6.1.ppc.rpm
dc6666f0c29108215a50e3042ec3f1f6  openldap-2.2.13-8.el4_6.1.ppc64.rpm
63be6242af95535f973448e04be6001c  openldap-clients-2.2.13-8.el4_6.1.ppc.rpm
7f3c6b841561748c440c9d5594ab10bb  openldap-debuginfo-2.2.13-8.el4_6.1.ppc.rpm
d70cd5cb7911fc0fef4c2ec82e450c11  openldap-debuginfo-2.2.13-8.el4_6.1.ppc64.rpm
62ed6b0c6972a93067b0ae7b5050fde1  openldap-devel-2.2.13-8.el4_6.1.ppc.rpm
addded6b3675c6fbd1fff79de7c9fd7a  openldap-servers-2.2.13-8.el4_6.1.ppc.rpm
86611366034b049e10e31120f23071ea  openldap-servers-sql-2.2.13-8.el4_6.1.ppc.rpm

s390:
d10bae9f186810046b7c1f303d2b5275  compat-openldap-2.1.30-8.el4_6.1.s390.rpm
f6a5eb8f946114440c247a61ff3d39ad  openldap-2.2.13-8.el4_6.1.s390.rpm
19cd9d96abfaf4ae90c7c5c56d1963c5  openldap-clients-2.2.13-8.el4_6.1.s390.rpm
9e2f2f3537e2a78814cdbf681e4276c3  openldap-debuginfo-2.2.13-8.el4_6.1.s390.rpm
9cf8b1ccb6fcd9d15ff6bc204f06b4dc  openldap-devel-2.2.13-8.el4_6.1.s390.rpm
f25b8d09c7d36275569c1bd00d23d220  openldap-servers-2.2.13-8.el4_6.1.s390.rpm
349d84c877e0f870fa98e9830fc67454  openldap-servers-sql-2.2.13-8.el4_6.1.s390.rpm

s390x:
d10bae9f186810046b7c1f303d2b5275  compat-openldap-2.1.30-8.el4_6.1.s390.rpm
70801a51bef304886178af6806f9dbcb  compat-openldap-2.1.30-8.el4_6.1.s390x.rpm
f6a5eb8f946114440c247a61ff3d39ad  openldap-2.2.13-8.el4_6.1.s390.rpm
c7359a128c0d74e49a063578606bdaa8  openldap-2.2.13-8.el4_6.1.s390x.rpm
f9b40d30955a1db4f70e6b2cce3ac577  openldap-clients-2.2.13-8.el4_6.1.s390x.rpm
9e2f2f3537e2a78814cdbf681e4276c3  openldap-debuginfo-2.2.13-8.el4_6.1.s390.rpm
36e98eb7d5f13afb6efe38f3f1f13bba  openldap-debuginfo-2.2.13-8.el4_6.1.s390x.rpm
c82e16b66ac226d5263d7d1b7a5f57a8  openldap-devel-2.2.13-8.el4_6.1.s390x.rpm
4b5f38cbdec79291593221a66125e45e  openldap-servers-2.2.13-8.el4_6.1.s390x.rpm
d3c79b08b668917d1156f366c320bce2  openldap-servers-sql-2.2.13-8.el4_6.1.s390x.rpm

x86_64:
b2c433fe08be943cb34d7ae75d29f022  compat-openldap-2.1.30-8.el4_6.1.i386.rpm
a4a32d858eb9289ca447bea8513cfe1d  compat-openldap-2.1.30-8.el4_6.1.x86_64.rpm
6ddb8c954ba2f85aa11850541d09f2f1  openldap-2.2.13-8.el4_6.1.i386.rpm
49aa0f91ab6af3df095e47f5aaafa4b0  openldap-2.2.13-8.el4_6.1.x86_64.rpm
c4dc861ca1240793966e707a8f4a7cd3  openldap-clients-2.2.13-8.el4_6.1.x86_64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2  openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
be99b06e1dbeeec8e5259e1385a368c2  openldap-debuginfo-2.2.13-8.el4_6.1.x86_64.rpm
48d7db553ba4c337e776005170b61d80  openldap-devel-2.2.13-8.el4_6.1.x86_64.rpm
59dce9ed46d0f6661fca7c2d1141da35  openldap-servers-2.2.13-8.el4_6.1.x86_64.rpm
6e64d976439bdacd8200ac3a2197c409  openldap-servers-sql-2.2.13-8.el4_6.1.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/openldap-2.2.13-8.el4_6.1.src.rpm
d83f67fe727e11d6cf1160b024b1f9a2  openldap-2.2.13-8.el4_6.1.src.rpm

i386:
b2c433fe08be943cb34d7ae75d29f022  compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6ddb8c954ba2f85aa11850541d09f2f1  openldap-2.2.13-8.el4_6.1.i386.rpm
219c613cf348abaaebc4c4f9f018ed9d  openldap-clients-2.2.13-8.el4_6.1.i386.rpm
3a5d6b07337958bdfdf7528abcd0ffb2  openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
7f40d96252d441fe7614a9beef25e0af  openldap-devel-2.2.13-8.el4_6.1.i386.rpm
4c19ad7c8b3adc537463852e1eba0233  openldap-servers-2.2.13-8.el4_6.1.i386.rpm
66e950a723214043bbe5b214b6bae217  openldap-servers-sql-2.2.13-8.el4_6.1.i386.rpm

x86_64:
b2c433fe08be943cb34d7ae75d29f022  compat-openldap-2.1.30-8.el4_6.1.i386.rpm
a4a32d858eb9289ca447bea8513cfe1d  compat-openldap-2.1.30-8.el4_6.1.x86_64.rpm
6ddb8c954ba2f85aa11850541d09f2f1  openldap-2.2.13-8.el4_6.1.i386.rpm
49aa0f91ab6af3df095e47f5aaafa4b0  openldap-2.2.13-8.el4_6.1.x86_64.rpm
c4dc861ca1240793966e707a8f4a7cd3  openldap-clients-2.2.13-8.el4_6.1.x86_64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2  openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
be99b06e1dbeeec8e5259e1385a368c2  openldap-debuginfo-2.2.13-8.el4_6.1.x86_64.rpm
48d7db553ba4c337e776005170b61d80  openldap-devel-2.2.13-8.el4_6.1.x86_64.rpm
59dce9ed46d0f6661fca7c2d1141da35  openldap-servers-2.2.13-8.el4_6.1.x86_64.rpm
6e64d976439bdacd8200ac3a2197c409  openldap-servers-sql-2.2.13-8.el4_6.1.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/openldap-2.2.13-8.el4_6.1.src.rpm
d83f67fe727e11d6cf1160b024b1f9a2  openldap-2.2.13-8.el4_6.1.src.rpm

i386:
b2c433fe08be943cb34d7ae75d29f022  compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6ddb8c954ba2f85aa11850541d09f2f1  openldap-2.2.13-8.el4_6.1.i386.rpm
219c613cf348abaaebc4c4f9f018ed9d  openldap-clients-2.2.13-8.el4_6.1.i386.rpm
3a5d6b07337958bdfdf7528abcd0ffb2  openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
7f40d96252d441fe7614a9beef25e0af  openldap-devel-2.2.13-8.el4_6.1.i386.rpm
4c19ad7c8b3adc537463852e1eba0233  openldap-servers-2.2.13-8.el4_6.1.i386.rpm
66e950a723214043bbe5b214b6bae217  openldap-servers-sql-2.2.13-8.el4_6.1.i386.rpm

ia64:
b2c433fe08be943cb34d7ae75d29f022  compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6b8aaa38dfbca517ebc8c2eeab072225  compat-openldap-2.1.30-8.el4_6.1.ia64.rpm
6ddb8c954ba2f85aa11850541d09f2f1  openldap-2.2.13-8.el4_6.1.i386.rpm
e48a6a25b291ebe73a1e500a51d5752c  openldap-2.2.13-8.el4_6.1.ia64.rpm
42ab2e4a1af25c108f86b231af51321d  openldap-clients-2.2.13-8.el4_6.1.ia64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2  openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
f016210f44503358b516cca1e9602042  openldap-debuginfo-2.2.13-8.el4_6.1.ia64.rpm
ebdf2edb9e264227f5877905afef97ee  openldap-devel-2.2.13-8.el4_6.1.ia64.rpm
817e4e1f9963c90506ec40817cb9a311  openldap-servers-2.2.13-8.el4_6.1.ia64.rpm
3a85b2d97f872c32929a36379b09ac65  openldap-servers-sql-2.2.13-8.el4_6.1.ia64.rpm

x86_64:
b2c433fe08be943cb34d7ae75d29f022  compat-openldap-2.1.30-8.el4_6.1.i386.rpm
a4a32d858eb9289ca447bea8513cfe1d  compat-openldap-2.1.30-8.el4_6.1.x86_64.rpm
6ddb8c954ba2f85aa11850541d09f2f1  openldap-2.2.13-8.el4_6.1.i386.rpm
49aa0f91ab6af3df095e47f5aaafa4b0  openldap-2.2.13-8.el4_6.1.x86_64.rpm
c4dc861ca1240793966e707a8f4a7cd3  openldap-clients-2.2.13-8.el4_6.1.x86_64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2  openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
be99b06e1dbeeec8e5259e1385a368c2  openldap-debuginfo-2.2.13-8.el4_6.1.x86_64.rpm
48d7db553ba4c337e776005170b61d80  openldap-devel-2.2.13-8.el4_6.1.x86_64.rpm
59dce9ed46d0f6661fca7c2d1141da35  openldap-servers-2.2.13-8.el4_6.1.x86_64.rpm
6e64d976439bdacd8200ac3a2197c409  openldap-servers-sql-2.2.13-8.el4_6.1.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/openldap-2.2.13-8.el4_6.1.src.rpm
d83f67fe727e11d6cf1160b024b1f9a2  openldap-2.2.13-8.el4_6.1.src.rpm

i386:
b2c433fe08be943cb34d7ae75d29f022  compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6ddb8c954ba2f85aa11850541d09f2f1  openldap-2.2.13-8.el4_6.1.i386.rpm
219c613cf348abaaebc4c4f9f018ed9d  openldap-clients-2.2.13-8.el4_6.1.i386.rpm
3a5d6b07337958bdfdf7528abcd0ffb2  openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
7f40d96252d441fe7614a9beef25e0af  openldap-devel-2.2.13-8.el4_6.1.i386.rpm
4c19ad7c8b3adc537463852e1eba0233  openldap-servers-2.2.13-8.el4_6.1.i386.rpm
66e950a723214043bbe5b214b6bae217  openldap-servers-sql-2.2.13-8.el4_6.1.i386.rpm

ia64:
b2c433fe08be943cb34d7ae75d29f022  compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6b8aaa38dfbca517ebc8c2eeab072225  compat-openldap-2.1.30-8.el4_6.1.ia64.rpm
6ddb8c954ba2f85aa11850541d09f2f1  openldap-2.2.13-8.el4_6.1.i386.rpm
e48a6a25b291ebe73a1e500a51d5752c  openldap-2.2.13-8.el4_6.1.ia64.rpm
42ab2e4a1af25c108f86b231af51321d  openldap-clients-2.2.13-8.el4_6.1.ia64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2  openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
f016210f44503358b516cca1e9602042  openldap-debuginfo-2.2.13-8.el4_6.1.ia64.rpm
ebdf2edb9e264227f5877905afef97ee  openldap-devel-2.2.13-8.el4_6.1.ia64.rpm
817e4e1f9963c90506ec40817cb9a311  openldap-servers-2.2.13-8.el4_6.1.ia64.rpm
3a85b2d97f872c32929a36379b09ac65  openldap-servers-sql-2.2.13-8.el4_6.1.ia64.rpm

x86_64:
b2c433fe08be943cb34d7ae75d29f022  compat-openldap-2.1.30-8.el4_6.1.i386.rpm
a4a32d858eb9289ca447bea8513cfe1d  compat-openldap-2.1.30-8.el4_6.1.x86_64.rpm
6ddb8c954ba2f85aa11850541d09f2f1  openldap-2.2.13-8.el4_6.1.i386.rpm
49aa0f91ab6af3df095e47f5aaafa4b0  openldap-2.2.13-8.el4_6.1.x86_64.rpm
c4dc861ca1240793966e707a8f4a7cd3  openldap-clients-2.2.13-8.el4_6.1.x86_64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2  openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
be99b06e1dbeeec8e5259e1385a368c2  openldap-debuginfo-2.2.13-8.el4_6.1.x86_64.rpm
48d7db553ba4c337e776005170b61d80  openldap-devel-2.2.13-8.el4_6.1.x86_64.rpm
59dce9ed46d0f6661fca7c2d1141da35  openldap-servers-2.2.13-8.el4_6.1.x86_64.rpm
6e64d976439bdacd8200ac3a2197c409  openldap-servers-sql-2.2.13-8.el4_6.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5707
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFHPHfpXlSAg2UNWIIRAg5ZAJ9O3WasZApIh4oqZsheqyt2blLxJwCfTPch
db+zv5iKjFzwxOgBYZgatSA=
=Iq6r
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRz0SdCh9+71yA2DNAQIJHAP/RBT7m5l33oC6Le5+ZVYHsQw23yMi8IML
QfP8mCg+DcregoaNTVKxCQsf9XeTkYb40WcEgxmBLX+mFbmAwRpB3RfEAvixeNlJ
TqMuFnKo0m+mMxlR2MRXMQJCjeDKqBdhnb5sA765TRByfOjvePiva+KEpItb6/gM
1XgkK+dksig=
=HuIV
-----END PGP SIGNATURE-----