oss-sec mailing list archives
Re: CVE Request -- OpenLDAP -- two issues
From: Josh Bressers <bressers () redhat com>
Date: Tue, 1 Mar 2011 16:13:42 -0500 (EST)
Please use CVE-2011-1081 for this new DoS. Thanks. -- JB ----- Original Message -----
The following might also need a CVE-ID. https://bugzilla.novell.com/show_bug.cgi?id=674985#c1 ------------------------------------------------------------------------------ http://www.openldap.org/its/index.cgi/Software Bugs?id=6768 That's a pretty bad DOS. Everybody (even unauthenticated users) can kill the server by submitting a MODRDN request with an empty "olddn" value and "remove old RDN" set (-r). Example: ldapmodrdn -x -H ldap://ldapserver -r '' o=test ------------------------------------------------------------------------------ Am Freitag 25 Februar 2011 17:18:08 schrieb Josh Bressers:----- Original Message -----Hello Josh, Steve, vendors, looks like the following two issues did not get a CVE identifiers yet: [1] http://secunia.com/advisories/43331/The above advisory covers both bugs below.[2] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607CVE-2011-1024 openldap forwarded bind failure messages cause success[3] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6661CVE-2011-1025 openldap rootpw is not verified with slapd.conf Thanks.-- Thomas Biege <thomas () suse de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach
Current thread:
- CVE Request -- OpenLDAP -- two issues Jan Lieskovsky (Feb 24)
- Re: CVE Request -- OpenLDAP -- two issues Josh Bressers (Feb 25)
- Re: CVE Request -- OpenLDAP -- two issues Thomas Biege (Feb 28)
- Re: CVE Request -- OpenLDAP -- two issues Vincent Danen (Feb 28)
- Re: CVE Request -- OpenLDAP -- two issues Ralf Haferkamp (Mar 01)
- Re: CVE Request -- OpenLDAP -- two issues Vincent Danen (Mar 01)
- Re: CVE Request -- OpenLDAP -- two issues Thomas Biege (Feb 28)
- Re: CVE Request -- OpenLDAP -- two issues Josh Bressers (Mar 01)
- Re: CVE Request -- OpenLDAP -- two issues Josh Bressers (Feb 25)