Debian Bug report logs -
#798622
openldap: CVE-2015-6908: ber_get_next denial of service vulnerability
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 11 Sep 2015 06:15:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in versions openldap/2.4.31-2, openldap/2.4.31-1, openldap/2.4.42+dfsg-1, openldap/2.4.40+dfsg-1, openldap/2.4.23-7.3+deb6u1
Fixed in versions openldap/2.4.40+dfsg-1+deb8u1, openldap/2.4.31-2+deb7u1, openldap/2.4.42+dfsg-2, openldap/2.4.23-7.3+deb6u2
Done: Ryan Tandy <ryan@nardis.ca>
Bug is archived. No further changes may be made.
Forwarded to http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#798622; Package src:openldap.
(Fri, 11 Sep 2015 06:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>.
(Fri, 11 Sep 2015 06:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openldap
Version: 2.4.31-2
Severity: important
Tags: security patch upstream fixed-upstream
Forwarded: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240
Hi
See http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240 . A
patch is available at
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=6fe51a9ab04fd28bbc171da3cf12f1c1040d6629
Regards,
Salvatore
Marked as fixed in versions openldap/2.4.42+dfsg-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 11 Sep 2015 06:57:08 GMT) (full text, mbox, link).
Marked as found in versions openldap/2.4.31-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 11 Sep 2015 07:21:03 GMT) (full text, mbox, link).
Changed Bug title to 'openldap: CVE-2015-6908: ber_get_next denial of service vulnerability' from 'openldap: ber_get_next denial of service vulnerability'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 11 Sep 2015 14:39:05 GMT) (full text, mbox, link).
No longer marked as fixed in versions openldap/2.4.42+dfsg-2.
Request was from Ryan Tandy <ryan@nardis.ca>
to control@bugs.debian.org.
(Fri, 11 Sep 2015 15:12:09 GMT) (full text, mbox, link).
Marked as found in versions openldap/2.4.42+dfsg-1.
Request was from Ryan Tandy <ryan@nardis.ca>
to control@bugs.debian.org.
(Fri, 11 Sep 2015 15:15:07 GMT) (full text, mbox, link).
Marked as found in versions openldap/2.4.40+dfsg-1.
Request was from Ryan Tandy <ryan@nardis.ca>
to control@bugs.debian.org.
(Fri, 11 Sep 2015 15:15:08 GMT) (full text, mbox, link).
Marked as found in versions openldap/2.4.23-7.3+deb6u1.
Request was from Ryan Tandy <ryan@nardis.ca>
to control@bugs.debian.org.
(Fri, 11 Sep 2015 15:15:09 GMT) (full text, mbox, link).
Marked as fixed in versions openldap/2.4.42+dfsg-2.
Request was from Ryan Tandy <ryan@nardis.ca>
to control@bugs.debian.org.
(Fri, 11 Sep 2015 15:18:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#798622; Package src:openldap.
(Sat, 12 Sep 2015 18:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Ryan Tandy <ryan@nardis.ca>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>.
(Sat, 12 Sep 2015 18:42:07 GMT) (full text, mbox, link).
Message #26 received at 798622@bugs.debian.org (full text, mbox, reply):
Control: tag -1 - fixed-upstream
The upstream fix has been reverted, for the moment.
Removed tag(s) fixed-upstream.
Request was from Ryan Tandy <ryan@nardis.ca>
to 798622-submit@bugs.debian.org.
(Sat, 12 Sep 2015 18:42:07 GMT) (full text, mbox, link).
Marked as fixed in versions openldap/2.4.40+dfsg-1+deb8u1.
Request was from Ryan Tandy <ryan@nardis.ca>
to control@bugs.debian.org.
(Sat, 12 Sep 2015 18:51:12 GMT) (full text, mbox, link).
Marked as fixed in versions openldap/2.4.31-2+deb7u1.
Request was from Ryan Tandy <ryan@nardis.ca>
to control@bugs.debian.org.
(Sat, 12 Sep 2015 18:51:13 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 12 Sep 2015 21:22:30 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 12 Sep 2015 21:22:30 GMT) (full text, mbox, link).
Message #37 received at 798622-close@bugs.debian.org (full text, mbox, reply):
Source: openldap
Source-Version: 2.4.40+dfsg-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 798622@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated openldap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 11 Sep 2015 10:30:43 +0200
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source
Version: 2.4.40+dfsg-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
ldap-utils - OpenLDAP utilities
libldap-2.4-2 - OpenLDAP libraries
libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
libldap2-dev - OpenLDAP development libraries
slapd - OpenLDAP server (slapd)
slapd-dbg - Debugging information for the OpenLDAP server (slapd)
slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 798622
Changes:
openldap (2.4.40+dfsg-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add ITS8240-remove-obsolete-assert.patch patch.
Import upstream patch to remove an unnecessary assert(0) that could be
triggered remotely by an unauthenticated user by sending a malformed BER
element. (CVE-2015-6908, Closes: #798622)
Checksums-Sha1:
b0db59f25f01d87eb9db18ed1f8bab63ccad037e 2821 openldap_2.4.40+dfsg-1+deb8u1.dsc
b80c48f2b7cbf634a3d463b7eb4ca38f081ce2eb 4797667 openldap_2.4.40+dfsg.orig.tar.gz
bed31b94ef1e525f565b22a55eb501aeb8b42c2b 179239 openldap_2.4.40+dfsg-1+deb8u1.diff.gz
Checksums-Sha256:
9938c4113dbe0c25fba5974d3c857f696413e17bdc56a031e499c78ed62eb114 2821 openldap_2.4.40+dfsg-1+deb8u1.dsc
86c0326dc3dc5f1a9b3c25f7106b96f3eafcdf5da090b1fc586dec57d56e0e7f 4797667 openldap_2.4.40+dfsg.orig.tar.gz
ae1b31e084f4b3e086d26787816175959d166ec406c9bcfce8f6fbe46ad4062a 179239 openldap_2.4.40+dfsg-1+deb8u1.diff.gz
Files:
1837a04d128daf28f021c14c17a547e5 2821 net optional openldap_2.4.40+dfsg-1+deb8u1.dsc
8d84a916e2312aade2a3d7b2308a9a69 4797667 net optional openldap_2.4.40+dfsg.orig.tar.gz
c286cfcce9a00059b260a9c1257be7d9 179239 net optional openldap_2.4.40+dfsg-1+deb8u1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJV8upsAAoJEAVMuPMTQ89E75IP/2FTMt0oLV+VcBUH8DqTY+//
SOBnnPeYw/rNUcr67DpOK6kZphOime/UpOj4AjF0T39QphzTDG8qu0nWBQb+ng0T
f/cpW+ENFrcQgjc7ScVi8Y7cMhHQG9V13FRj4x4twR7VKds2oupsJZCK1BqeCgwU
sxH8SFsVy7gjqZauUg+rAdfhLRbM7hL40N9ZynTDepzBnUkyWht7idlgD0IHM8Y2
9+eCV+lq1s4IpnGpVRjOWG0M4yPJ1MhjnWUQVzxSDOkNQq+rG3bMGj7Wo/LuR6jh
94YwrUsngtTfyYgdtL6d5qVPXcYNjJ+IXTkJo1cLcpjifm8By8Bl9qbwEHCFf1iO
DEdYrFTYfKcJc9I+x3XRG3Evj2elsq3LXB2gopSn1FEJ9ONEm/uThVmaG3YdeFKJ
1T4q5VYi3InjOSckn/psmIrnHiOQ8nIE22gsplV7uk/XC8R5dejpYB7DynvleCBd
yE5ICXvNVmTkUufeucdMErhwC3JvMIDPrJBHzR/mcToVjzKBC+1Rd1ThjY4eW1ew
F1QPfNUpwXI5eidGC6JMujvpD7qA7k85wpnEduZ3/K7zk66cjK6L5OySXMJSVLWO
0gyDAwJVCpCobptCfxzs+q+gw3GFMG00ls+LD8h4jZv2Rps9vbHNPgTQUUjA6/c3
u3EMv3aOomYzXkecK035
=OG64
-----END PGP SIGNATURE-----
Added tag(s) fixed-upstream.
Request was from Ryan Tandy <ryan@nardis.ca>
to control@bugs.debian.org.
(Sun, 13 Sep 2015 21:51:12 GMT) (full text, mbox, link).
Reply sent
to Ryan Tandy <ryan@nardis.ca>:
You have taken responsibility.
(Mon, 14 Sep 2015 13:39:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 14 Sep 2015 13:39:19 GMT) (full text, mbox, link).
Message #44 received at 798622-close@bugs.debian.org (full text, mbox, reply):
Source: openldap
Source-Version: 2.4.23-7.3+deb6u2
We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 798622@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryan Tandy <ryan@nardis.ca> (supplier of updated openldap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 11 Sep 2015 08:28:34 -0700
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source i386
Version: 2.4.23-7.3+deb6u2
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Ryan Tandy <ryan@nardis.ca>
Description:
ldap-utils - OpenLDAP utilities
libldap-2.4-2 - OpenLDAP libraries
libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
libldap2-dev - OpenLDAP development libraries
slapd - OpenLDAP server (slapd)
slapd-dbg - Debugging information for the OpenLDAP server (slapd)
slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 798622
Changes:
openldap (2.4.23-7.3+deb6u2) squeeze-lts; urgency=high
.
* Import upstream patch to remove an unnecessary assert(0) that could be
triggered remotely by an unauthenticated user by sending a malformed BER
element. (ITS#8240) (CVE-2015-6908) (Closes: #798622)
Checksums-Sha1:
1bd617ced7fb1e15072f7adf7bea78d9de8b90c7 2651 openldap_2.4.23-7.3+deb6u2.dsc
6ae59c70665c0df7c71bab1f786503e10bdcf82e 164124 openldap_2.4.23-7.3+deb6u2.diff.gz
a6fad853761e3dd19750b297a1fd0d92c5c6079f 1512548 slapd_2.4.23-7.3+deb6u2_i386.deb
3d344c226203b3ff74c2fd277b2e32964545ffc5 58128 slapd-smbk5pwd_2.4.23-7.3+deb6u2_i386.deb
a3d72e848d9eedf41bafbfc5ec566fc6b81e1377 298052 ldap-utils_2.4.23-7.3+deb6u2_i386.deb
e000cedf4481a1a689c4696d426aae19111c3566 197232 libldap-2.4-2_2.4.23-7.3+deb6u2_i386.deb
98c4d88dc1f6956cbe4ff7300d8029d3d36e5272 307578 libldap-2.4-2-dbg_2.4.23-7.3+deb6u2_i386.deb
b730bff05c635ec310af19ae4297b818b0046245 913678 libldap2-dev_2.4.23-7.3+deb6u2_i386.deb
fc66fcb03d0ebfb7357b33a926b196d57fb602c8 3977612 slapd-dbg_2.4.23-7.3+deb6u2_i386.deb
Checksums-Sha256:
8cbdef40bef004c8e16ac6f8106adf0cdd8bd74bb383824c3a0b92ac0da6ab3d 2651 openldap_2.4.23-7.3+deb6u2.dsc
3a2add3be22a85b724057189432c572c89ed05ef5e19be6668a02cd4eb67895e 164124 openldap_2.4.23-7.3+deb6u2.diff.gz
4cf4476664b3e21b36bf948f84002b6d75961f3bd374050d2bda5b8df6a28a44 1512548 slapd_2.4.23-7.3+deb6u2_i386.deb
7b8902679f59a43bcdca428dcd43b5994f6081c0191702587cce18574bb3cc3a 58128 slapd-smbk5pwd_2.4.23-7.3+deb6u2_i386.deb
5e6e9c8257e6ef3bb61bede42c2eb8ce51c0df61bd049045bdc9361b5ffe0aa1 298052 ldap-utils_2.4.23-7.3+deb6u2_i386.deb
d106dae61d61a333ecd6011836cee5e7af2b28d84a2e0145888189df3d818905 197232 libldap-2.4-2_2.4.23-7.3+deb6u2_i386.deb
f7433eba0259a49595fbfdce53e99453bc57829f113eccd9986cc570dde4ba7e 307578 libldap-2.4-2-dbg_2.4.23-7.3+deb6u2_i386.deb
d8c7420e3b4b7e007c32a1bbbb442d756bf79fe964b967a9f3ae2b085595bcf2 913678 libldap2-dev_2.4.23-7.3+deb6u2_i386.deb
0e850e6a114791d3f6730fb24da38a62fb308742ed0bfe0912bb9479d046b96b 3977612 slapd-dbg_2.4.23-7.3+deb6u2_i386.deb
Files:
28fa4a83fcc093901a51f13f9d30796b 2651 net optional openldap_2.4.23-7.3+deb6u2.dsc
ce1a51ef35e139bfead2be4fbd40c38e 164124 net optional openldap_2.4.23-7.3+deb6u2.diff.gz
a711c2ca040411fae882d7fe8bd20efc 1512548 net optional slapd_2.4.23-7.3+deb6u2_i386.deb
d619c8b1802d3fd5163af5ac05ba90e0 58128 net extra slapd-smbk5pwd_2.4.23-7.3+deb6u2_i386.deb
4eb5dee2f57cc371b4b7451ba3163b9b 298052 net optional ldap-utils_2.4.23-7.3+deb6u2_i386.deb
3a2de63702761427e26a4b3b7081eef8 197232 libs standard libldap-2.4-2_2.4.23-7.3+deb6u2_i386.deb
801aa538846f24b3a864a66ebfdca26c 307578 debug extra libldap-2.4-2-dbg_2.4.23-7.3+deb6u2_i386.deb
b92333c66c2af621e2530b210f4cc944 913678 libdevel extra libldap2-dev_2.4.23-7.3+deb6u2_i386.deb
29f02952ea8b357b7c81bdfdc981a670 3977612 debug extra slapd-dbg_2.4.23-7.3+deb6u2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJV9Z7WXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH1rAQAL5/lX1DyIUY92dGOA516jlj
M56+BppV8wMWMv5CuUAxIRSp5FoWoRKlilNB4HnCshyhXQhq3aFepsHo8s/b1gjY
kwISo4Shcq+KQAVkEuZ+3kgJIMUN+tbiC6X/Stb5w6PN71pXD0dtQPeJaAeky62S
3TC3poFIY2Ki1Kl7dzwJIU6YA3YmmUSFEy4FUW0AYXmbbDKnGJq9sbaC4+O8eA0D
ixXGKzR+M2GnESGQbgZUvf1gFVWhfgWs95tAqYhUUM8kBdjB8gRMrNTCAsQKmg/1
JIe/2Bi3zYLcsY1L5p/fD9R4gpPXWpUz7WH1oyPL2vZzUmsyfXHnopFK5TJcR4T4
Y8I/9n8oXvX0s5Z+LJ1aXs41CeGpVcnNMFucJlLdVLPToKqHv0ocy6SXwzO3H1E4
1+0FK6yLgFeY6e5Sghfu9wKWKjXm5XpMcd+MVUZm1y/S0e+gUOfqMiKSjs10j23H
t1Kc2OAMX5oyy0Yccro7l361LxBophyNwH6KUDAHSjttxv/UvA/rMEgBO0ewDaQU
Z60HC60qufxOTrpZYQKN9XX3qGy5WQLdbrxreEUbYcKQnfqrPwrOrUExDf1YEvRb
oWmu8cht06LY/dQdF5zdtlf5H4nia56V5SYINJ2qDqg2GXHJZIE0zbCkgqmOcRD3
MkefTvg16oSHJEiqqtMM
=bFPu
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 15 Oct 2015 07:28:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:35:46 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon