Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Conectiva Linux Security Announcement - openldap

Aug 30, 2001, 10:36 (0 Talkback[s])
Date: Wed, 29 Aug 2001 15:47:55 -0300
Subject: [CLA-2001:417] Conectiva Linux Security Announcement - openldap
From: secure@conectiva.com.br

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : openldap
SUMMARY   : Remote DoS vulnerability in openldap
DATE      : 2001-08-29 15:47:00
ID        : CLA-2001:417
RELEVANT
RELEASES  : 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
 OpenLDAP is an LDAPv2 and LDAPv3 (starting with version 2.0.x)
 server.
 The PROTOS[2] project conducted several protocol tests with many
 different LDAP servers. It was verified[3] that OpenLDAP versions
 before 1.2.11 and 2.0.8 (from the 2.0.x series) have a remote denial
 of service vulnerability that allows a remote attacker to disrupt the
 service.


SOLUTION
 It is recommended that all OpenLDAP users upgrade their packages.
 Some remarks:
 - it IS necessary to manually restart the service after applying the
 update. Execute "/etc/rc.d/init.d/ldap restart";
 - the openldap2 package (please note the version number together with
 the name) supplied for CL6.0 is experimental, openldap-1.2.x is the
 recommended version for that distribution. In particular, it is not
 possible to have openldap version 1.2.x and openldap2 installed at
 the same time in CL6.0;
 - the openldap1 package (please note the version number together with
 the name) supplied for CL7.0 only has the dynamic libraries in it: no
 program in CL7.0 requires this package and is is provided only for
 compatibility reasons.
 
 
 REFERENCES
 1. http://www.cert.org/advisories/CA-2001-18.html
 2. http://www.ee.oulu.fi/research/ouspg/protos/
 3.
 http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/index.html
 4. http://www.openldap.org
 5. http://www.kb.cert.org/vuls/id/935800


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/openldap-1.2.12-1U41_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/openldap-devel-1.2.12-1U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/openldap-1.2.12-1U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/openldap-1.2.12-1U42_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/openldap-devel-1.2.12-1U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/openldap-1.2.12-1U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/openldap-1.2.12-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/openldap-devel-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/openldap-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/openldap-1.2.12-1U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/openldap-1.2.12-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/openldap-devel-1.2.12-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openldap-1.2.12-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap-devel-1.2.12-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap-1.2.12-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openldap2-2.0.11-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-devel-2.0.11-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-2.0.11-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-tests-2.0.11-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openldap1-1.2.12-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap1-1.2.12-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/openldap-1.2.12-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openldap-devel-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openldap-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/openldap-1.2.12-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openldap-devel-1.2.12-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openldap-1.2.12-1U50_1cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br