Debian alert: New openldap packages fix buffer overflows and remote exploit

Posted by dave on Jan 13, 2003 6:07 AM EDT
Mailing list
Mail this story
Print this story

The SuSE Security Team reviewed critical parts of openldap2, an implementation of the Lightweight Directory Access Protocol (LDAP) version 2 and 3, and found several buffer overflows and other bugs remote attackers could exploit to gain access on systems running vulnerable LDAP servers. In addition to these bugs, various local exploitable bugs within the OpenLDAP2 libraries have been fixed.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 227-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
January, 13th, 2003                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : openldap2
Vulnerability  : buffer overflows and other bugs
Problem-Type   : local, remote
Debian-specific: no
CVE Id         : CAN-2002-1378 CAN-2002-1379
BugTraq Id     : 6328

The SuSE Security Team reviewed critical parts of openldap2, an
implementation of the Lightweight Directory Access Protocol (LDAP)
version 2 and 3, and found several buffer overflows and other bugs
remote attackers could exploit to gain access on systems running
vulnerable LDAP servers.  In addition to these bugs, various local
exploitable bugs within the OpenLDAP2 libraries have been fixed.

For the current stable distribution (woody) these problems have been
fixed in version 2.0.23-6.3.

The old stable distribution (potato) does not contain OpenLDAP2
packages.

For the unstable distribution (sid) these problems have been fixed in
version 2.0.27-3.

We recommend that you upgrade your openldap2 packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/o/openldap2/openldap2_2.0.23-6.3.dsc
      Size/MD5 checksum:      763 45168fb49d17bcbefc2d920400705ac1
    http://security.debian.org/pool/updates/main/o/openldap2/openldap2_2.0.23-6.3.diff.gz
      Size/MD5 checksum:    20913 f0fa8fa225ccd5ce44504811511c9ad4
    http://security.debian.org/pool/updates/main/o/openldap2/openldap2_2.0.23.orig.tar.gz
      Size/MD5 checksum:  1302928 d13cfded502c7d2b43b3c42b4e6dd599

  Alpha architecture:

    http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_alpha.deb
      Size/MD5 checksum:    87630 29068d6586e62aa8141995d19d85b5f2
    http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_alpha.deb
      Size/MD5 checksum:   113812 ffe2c1b7afd49bbd45143b4d2c5738a3
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_alpha.deb
      Size/MD5 checksum:   213992 5a20e5fa07a7e64c501fce960bafb00d
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_alpha.deb
      Size/MD5 checksum:  1833542 4554c75be54f37f98062874c1fd05ef3
    http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_alpha.deb
      Size/MD5 checksum:   806478 e3ebfb7fefffdebdfc48127c53989b5a

  ARM architecture:

    http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_arm.deb
      Size/MD5 checksum:    65998 395356a67fc07a37cb7ff83e4f433f08
    http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_arm.deb
      Size/MD5 checksum:    90090 2d6582bca66d8d4975767e9143610617
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_arm.deb
      Size/MD5 checksum:   183032 202e9ee365ea54dab60b7b827d47b759
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_arm.deb
      Size/MD5 checksum:  1789034 7144479db1c2c8433fcd89ee6b1cd693
    http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_arm.deb
      Size/MD5 checksum:   672624 d93eddf64b805fe8ad456e1abb477237

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_i386.deb
      Size/MD5 checksum:    65232 423b8b0b3fd8a09ef365d4ec25023d26
    http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_i386.deb
      Size/MD5 checksum:    86350 0bc201b83a18897972cecccb37beba0b
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_i386.deb
      Size/MD5 checksum:   172742 2222f508b8f6b0cf808ece56cfd639e9
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_i386.deb
      Size/MD5 checksum:  1732946 1f98f56fb5b0215788c9581cc330a77a
    http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_i386.deb
      Size/MD5 checksum:   606922 42fc1c90d802d9bc155094cd2c5b3a05

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_ia64.deb
      Size/MD5 checksum:    97926 102155513b8228429771ede0d79ba286
    http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_ia64.deb
      Size/MD5 checksum:   130370 c200491173f802aa79f18f6069d693a6
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_ia64.deb
      Size/MD5 checksum:   287272 bc3d117d2a5ce5472bd7c8e82415c316
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_ia64.deb
      Size/MD5 checksum:  1770604 541a1c9edbe6a16405882e222cd7a109
    http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_ia64.deb
      Size/MD5 checksum:  1055364 6f57696f2b7531f84130a70af0549b8d

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_hppa.deb
      Size/MD5 checksum:    72484 204da57b2ee9c96ce1c452b7930200ed
    http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_hppa.deb
      Size/MD5 checksum:    96546 c7effeaa7614518f6fc3430377a4a5d5
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_hppa.deb
      Size/MD5 checksum:   215844 579d0e6079f28507f1ec9cb04e480eb1
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_hppa.deb
      Size/MD5 checksum:  1918820 4fe546d4d46cd60886b632454051305f
    http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_hppa.deb
      Size/MD5 checksum:   754974 33465a944d5f074d8360c6636e59a21c

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_m68k.deb
      Size/MD5 checksum:    63104 97a7ac89fa92969b337c9faac65a396f
    http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_m68k.deb
      Size/MD5 checksum:    82360 622b8f56215e11e8d8560a046ae6727d
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_m68k.deb
      Size/MD5 checksum:   172070 6c83f54353a1f6e4ab930534ff1d4e3f
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_m68k.deb
      Size/MD5 checksum:  1747054 ed7fb0f971840a7fa830bf8398a4d14e
    http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_m68k.deb
      Size/MD5 checksum:   549178 af67d5db8fe060084f216816d5317349

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_mips.deb
      Size/MD5 checksum:    71252 ec1e7143d9bee2bbbe0c51c74565539a
    http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_mips.deb
      Size/MD5 checksum:    96432 63ea165d5ced9a86f03f401ddd82bdec
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_mips.deb
      Size/MD5 checksum:   182296 7f14e28ef4cb9dc8ee4a81379a41ba43
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_mips.deb
      Size/MD5 checksum:  1740550 80ceff7b9ad86b6a271a75f02b7fc156
    http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_mips.deb
      Size/MD5 checksum:   690306 d1fcfcfb94ed45c1cc1738f650ea7791

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_mipsel.deb
      Size/MD5 checksum:    71024 7525d0c425e5039e9057f8ba7b33887a
    http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_mipsel.deb
      Size/MD5 checksum:    96224 5659381cf1d060a6e941fa966b0a0ee9
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_mipsel.deb
      Size/MD5 checksum:   182322 416d63e7910ac76318b044ec1822f7a5
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_mipsel.deb
      Size/MD5 checksum:  1707922 1d802562db371b06b85fb9377c243b9c
    http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_mipsel.deb
      Size/MD5 checksum:   690470 b2641844353f0e774878ed2584f3377b

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_powerpc.deb
      Size/MD5 checksum:    67354 cea40c452a90042c183d548374e3d3ab
    http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_powerpc.deb
      Size/MD5 checksum:    89190 8ba071acfbd7ce9a91547506c9f2032d
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_powerpc.deb
      Size/MD5 checksum:   190122 2ed378aced84f062d25341ea402fe432
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_powerpc.deb
      Size/MD5 checksum:  1833820 9e552d28447baff88a9513224872df4c
    http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_powerpc.deb
      Size/MD5 checksum:   659124 bd3a42e7f529ffe0ba2c14db79d4c5e9

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_s390.deb
      Size/MD5 checksum:    68148 c092242782dc253a48bed75e64d89f73
    http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_s390.deb
      Size/MD5 checksum:    90736 4f1a07b555e2b45c2010f906cc5643b8
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_s390.deb
      Size/MD5 checksum:   185080 31f46df36b184835aa7dfa690f0e5acf
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_s390.deb
      Size/MD5 checksum:  1774464 73c0f603bccf160742f195eceda8cdaa
    http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_s390.deb
      Size/MD5 checksum:   630076 51fb890370a4ac20cc624bd098f47a1f

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/o/openldap2/ldap-gateways_2.0.23-6.3_sparc.deb
      Size/MD5 checksum:    83524 3a4ecbbec28bdbece90059b279cf0b79
    http://security.debian.org/pool/updates/main/o/openldap2/ldap-utils_2.0.23-6.3_sparc.deb
      Size/MD5 checksum:    96442 22cd660e75d55fdacdd8f3f496018e86
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2_2.0.23-6.3_sparc.deb
      Size/MD5 checksum:   184178 8ed0238017accfbf049df22ba8caf7e0
    http://security.debian.org/pool/updates/main/o/openldap2/libldap2-dev_2.0.23-6.3_sparc.deb
      Size/MD5 checksum:  1793314 4ef681fc1a92aad509ed6b7697ea5ac3
    http://security.debian.org/pool/updates/main/o/openldap2/slapd_2.0.23-6.3_sparc.deb
      Size/MD5 checksum:   633264 70f1164d9d170954a31142e3aef49f61


  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+ItYxW5ql+IAeqTIRAvV/AKCeZFJg95gz+EiDZhWigp28NPIuigCbBH/c
pv+CkTPod/NDJ6WJoe7q2sA=
=8Qj8
-----END PGP SIGNATURE-----


  Nav
» Read more about: Story Type: Security; Groups: Debian

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.