U radu implementacije LDAP protokola, openldap, otkrivena su dva sigurnosna propusta. Napadaču omogućuju otkrivanje povjerljivih informacija te izvođenje napada uskraćivanjem usluge (eng. Denial of Service).
Paket:
OpenLDAP 2.4.x
Operacijski sustavi:
Fedora 16, Fedora 17
Kritičnost:
2.3
Problem:
neodgovarajuća provjera ulaznih podataka, pogreška u programskoj komponenti
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-10000
2012-06-28 02:41:14
--------------------------------------------------------------------------------
Name : openldap
Product : Fedora 17
Version : 2.4.31
Release : 3.fc17
URL : http://www.openldap.org/
Summary : LDAP support libraries
Description :
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools. LDAP is a set of
protocols for accessing directory services (usually phone book style
information, but other information is possible) over the Internet,
similar to the way DNS (Domain Name System) information is propagated
over the Internet. The openldap package contains configuration files,
libraries, and documentation for OpenLDAP.
--------------------------------------------------------------------------------
Update Information:
TLS bugfixes and one security fix.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jun 27 2012 Jan Vcelak <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.4.31-3
- update fix: count constraint broken when using multiple modifications
(#795766)
- fix: invalid order of TLS shutdown operations (#808464)
- fix: TLS error messages overwriting in tlsm_verify_cert() (#810462)
- fix: reading pin from file can make all TLS connections hang (#829317)
- CVE-2012-2668: cipher suite selection by name can be ignored (#825875)
- fix: slapd fails to start on reboot (#829272)
- fix: default cipher suite is always selected (#828790)
- fix: less influence between individual TLS contexts:
- replication with TLS does not work (#795763)
- possibly others
* Fri May 18 2012 Jan Vcelak <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.4.31-2
- fix: nss-tools package is required by the base package, not the server
subpackage
- fix: MozNSS CA certdir does not work together with PEM CA cert file (#819536)
* Tue Apr 24 2012 Jan Vcelak <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.4.31-1
- new upstream release
+ library: IPv6 url detection
+ library: rebinding to failed connections
+ server: various fixes in mdb backend
+ server: various fixes in replication
+ server: various fixes in overlays and minor backends
+ documentation fixes
- remove patches which were merged upstream
* Thu Apr 5 2012 Jan Vcelak <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.4.30-3
- rebuild due to libdb rebase
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #825875 - CVE-2012-2668 openldap: does not honor TLSCipherSuite
settings
https://bugzilla.redhat.com/show_bug.cgi?id=825875
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update openldap' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-10023
2012-06-28 02:42:19
--------------------------------------------------------------------------------
Name : openldap
Product : Fedora 16
Version : 2.4.26
Release : 8.fc16
URL : http://www.openldap.org/
Summary : LDAP support libraries
Description :
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools. LDAP is a set of
protocols for accessing directory services (usually phone book style
information, but other information is possible) over the Internet,
similar to the way DNS (Domain Name System) information is propagated
over the Internet. The openldap package contains configuration files,
libraries, and documentation for OpenLDAP.
--------------------------------------------------------------------------------
Update Information:
security and bug fix update
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jun 27 2012 Jan Vcelak <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 2.4.26-8
- fix: TLS error messages overwriting in tlsm_verify_cert() (#810462)
- fix: reading pin from file can make all TLS connections hang (#829317)
- CVE-2012-2668: cipher suite selection by name can be ignored (#825875)
- fix: default cipher suite is always selected (#828790)
- fix: invalid order of TLS shutdown operations (#808464)
- CVE-2012-1164: Assertion failure by processing search queries requesting only
attributes for particular entry (#802514)
* Mon Mar 26 2012 Jan SynÄ
Posljednje sigurnosne preporuke