CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name

Debian Bug report logs - #553432
CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name

Date: Sat, 31 Oct 2009 10:57:05 +0100

Package: openldap
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openldap.

CVE-2009-3767[0]:
| libraries/libldap/tls_o.c in OpenLDAP, when OpenSSL is used, does not
| properly handle a '\0' character in a domain name in the subject's
| Common Name (CN) field of an X.509 certificate, which allows
| man-in-the-middle attackers to spoof arbitrary SSL servers via a
| crafted certificate issued by a legitimate Certification Authority, a
| related issue to CVE-2009-2408.


Please coordinate with the security team (team@security.debian.org) to
prepare packages for the stable and oldstable releases.


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3767
    http://security-tracker.debian.org/tracker/CVE-2009-3767
    Patch: http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_o.c.diff?r1=1.8&r2=1.11&f=h

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrsCe4ACgkQNxpp46476aqyOwCfYvjBZj45odwhQLQ7eeFCT9j4
YDcAnjvkFab1GOwO9tv/6iXVVqCW5D/g
=0E+p
-----END PGP SIGNATURE-----

Message #10 received at 553432@bugs.debian.org (full text, mbox, reply):

From: Quanah Gibson-Mount <quanah@zimbra.com>

To: 553432@bugs.debian.org

Subject: Re: [Pkg-openldap-devel] Bug#553432: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name

Date: Sat, 31 Oct 2009 08:47:21 -0700

--On Saturday, October 31, 2009 10:57 AM +0100 Giuseppe Iuculano 
<iuculano@debian.org> wrote:

> Package: openldap
> Severity: grave
> Tags: security patch

This was fixed in OpenLDAP 2.4.18 (Just to note).

Also, how easily someone can set up a rogue LDAP server masquarading as 
someone else's ldap server seems not particularly simple to do.  I.e., this 
requires someone to set up an LDAP server with a bad cert, and then 
intercept someone elses ldap client traffic to that server.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Message #15 received at 553432@bugs.debian.org (full text, mbox, reply):

From: Quanah Gibson-Mount <quanah@zimbra.com>

To: 553432@bugs.debian.org

Subject: Re: [Pkg-openldap-devel] Bug#553432: Bug#553432: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name

Date: Sat, 31 Oct 2009 09:13:52 -0700

--On Saturday, October 31, 2009 8:47 AM -0700 Quanah Gibson-Mount 
<quanah@zimbra.com> wrote:

> --On Saturday, October 31, 2009 10:57 AM +0100 Giuseppe Iuculano
> <iuculano@debian.org> wrote:
>
>> Package: openldap
>> Severity: grave
>> Tags: security patch
>
> This was fixed in OpenLDAP 2.4.18 (Just to note).
>
> Also, how easily someone can set up a rogue LDAP server masquarading as
> someone else's ldap server seems not particularly simple to do.  I.e.,
> this requires someone to set up an LDAP server with a bad cert, and then
> intercept someone elses ldap client traffic to that server.

Also, if Debian's still supporting anything based on OL 2.3, I have a clean 
patch for this issue for it as well.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Message #20 received at 553432@bugs.debian.org (full text, mbox, reply):

From: Quanah Gibson-Mount <quanah@zimbra.com>

To: 553432@bugs.debian.org

Subject: Re: [Pkg-openldap-devel] Bug#553432: Bug#553432: Bug#553432: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name

Date: Tue, 10 Nov 2009 09:19:32 -0800

[Message part 1 (text/plain, inline)]

--On Saturday, October 31, 2009 9:13 AM -0700 Quanah Gibson-Mount 
<quanah@zimbra.com> wrote:
> Also, if Debian's still supporting anything based on OL 2.3, I have a
> clean patch for this issue for it as well.

2.3 patch attached if needed.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

[ITS6239.patch (application/octet-stream, attachment)]

Message #25 received at 553432@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: 553432@bugs.debian.org, Quanah Gibson-Mount <quanah@zimbra.com>

Subject: Re: [Pkg-openldap-devel] Bug#553432: Bug#553432: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name

Date: Tue, 10 Nov 2009 18:58:29 +0100

[Message part 1 (text/plain, inline)]

Hi,

Quanah Gibson-Mount wrote:
> Also, if Debian's still supporting anything based on OL 2.3, I have a clean 
> patch for this issue for it as well.

Could you send the patch for OL 2.3 please?

Thanks in advance,
Giuseppe

[signature.asc (application/pgp-signature, attachment)]

Message #30 received at 553432@bugs.debian.org (full text, mbox, reply):

From: Quanah Gibson-Mount <quanah@zimbra.com>

To: Giuseppe Iuculano <iuculano@debian.org>, 553432@bugs.debian.org

Subject: Re: [Pkg-openldap-devel] Bug#553432: Bug#553432: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name

Date: Tue, 10 Nov 2009 10:09:12 -0800

--On Tuesday, November 10, 2009 6:58 PM +0100 Giuseppe Iuculano 
<iuculano@debian.org> wrote:

> Hi,
>
> Quanah Gibson-Mount wrote:
>> Also, if Debian's still supporting anything based on OL 2.3, I have a
>> clean  patch for this issue for it as well.
>
> Could you send the patch for OL 2.3 please?

Sent it this morning already. :)

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Message #35 received at 553432@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: 553432@bugs.debian.org

Subject: NMU

Date: Tue, 10 Nov 2009 20:30:46 +0100

[Message part 1 (text/plain, inline)]

Hi,

Attached is a debdiff of the changes I made for 2.4.17-2.1 0-day NMU.

Cheers,
Giuseppe

[openldap_2.4.17-2.1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #40 received at 553432-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: 553432-close@bugs.debian.org

Subject: Bug#553432: fixed in openldap 2.4.17-2.1

Date: Tue, 10 Nov 2009 19:47:43 +0000

Source: openldap
Source-Version: 2.4.17-2.1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive:

ldap-utils_2.4.17-2.1_i386.deb
  to main/o/openldap/ldap-utils_2.4.17-2.1_i386.deb
libldap-2.4-2-dbg_2.4.17-2.1_i386.deb
  to main/o/openldap/libldap-2.4-2-dbg_2.4.17-2.1_i386.deb
libldap-2.4-2_2.4.17-2.1_i386.deb
  to main/o/openldap/libldap-2.4-2_2.4.17-2.1_i386.deb
libldap2-dev_2.4.17-2.1_i386.deb
  to main/o/openldap/libldap2-dev_2.4.17-2.1_i386.deb
openldap_2.4.17-2.1.diff.gz
  to main/o/openldap/openldap_2.4.17-2.1.diff.gz
openldap_2.4.17-2.1.dsc
  to main/o/openldap/openldap_2.4.17-2.1.dsc
slapd-dbg_2.4.17-2.1_i386.deb
  to main/o/openldap/slapd-dbg_2.4.17-2.1_i386.deb
slapd_2.4.17-2.1_i386.deb
  to main/o/openldap/slapd_2.4.17-2.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 553432@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 10 Nov 2009 19:09:45 +0100
Source: openldap
Binary: slapd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source i386
Version: 2.4.17-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
Closes: 553432
Changes: 
 openldap (2.4.17-2.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-3767: libraries/libldap/tls_o.c doesn't properly handle NULL
     character in subject Common Name (Closes: #553432)
Checksums-Sha1: 
 f2fc0fb1ddcef840c29c3ea684f110ffb1270d94 1825 openldap_2.4.17-2.1.dsc
 c05341105a4e5dc9053498bdb3eda2e834da86e2 149501 openldap_2.4.17-2.1.diff.gz
 9a069769a8435a32d06953ed9949795da766f4cd 1469008 slapd_2.4.17-2.1_i386.deb
 c25da1114aa35e41cbb2872b7ed7c8da2c9a89fd 283890 ldap-utils_2.4.17-2.1_i386.deb
 d0a3a68ed1d4a1f1a33332b1286a23110cfe1420 192256 libldap-2.4-2_2.4.17-2.1_i386.deb
 9d1102bb40b2ce04b548ddb041d97157fe45dc9c 302532 libldap-2.4-2-dbg_2.4.17-2.1_i386.deb
 dad482f42f78889bb7cec8361ff96396fa4a3248 928716 libldap2-dev_2.4.17-2.1_i386.deb
 21658571a6accc73efa86b07cc558cdda22640fd 3821058 slapd-dbg_2.4.17-2.1_i386.deb
Checksums-Sha256: 
 2d7b086496f999d38657d37560a995df6d05e714e433f7d2086595cb8ea80a60 1825 openldap_2.4.17-2.1.dsc
 52b95b60d4d3daef1eb4b444ba35e095b44f87cac910a52fa657bdb17bcf6cf8 149501 openldap_2.4.17-2.1.diff.gz
 5dad9b8117fa0105aace96291dcd60ddc072db5d060f8899e55bd99920659d86 1469008 slapd_2.4.17-2.1_i386.deb
 363b62869fd0ca1fec85d8ae354c7e0026cf935afcd624060a62c5d2a05ed924 283890 ldap-utils_2.4.17-2.1_i386.deb
 1d2be3ef3ab11816370ac754d81bbfa0fa0957d7a9eeb45ab8122770dee68afc 192256 libldap-2.4-2_2.4.17-2.1_i386.deb
 a787a7184da6b9e776adfa5875f389356ebe6b8ec0f9d96f48869cd92a5eb56c 302532 libldap-2.4-2-dbg_2.4.17-2.1_i386.deb
 c02269251a34ec1b6f14dfd7c99e55ae71a6a0249f11d01f2e0a3d5031fb239d 928716 libldap2-dev_2.4.17-2.1_i386.deb
 416632641c922cc13d3020e8b792ac8a5d309e846e7e3667f70b646396e9c8e6 3821058 slapd-dbg_2.4.17-2.1_i386.deb
Files: 
 618fe84fd3eb68a6226e2ae3a59aca02 1825 net optional openldap_2.4.17-2.1.dsc
 4e931dc6534daae97ab95802f557eb51 149501 net optional openldap_2.4.17-2.1.diff.gz
 da15cb492a4802f46942ea6a38c4f05f 1469008 net optional slapd_2.4.17-2.1_i386.deb
 ff72366b9f51f558fc3792aa8ad6523d 283890 net optional ldap-utils_2.4.17-2.1_i386.deb
 675fb04526377484253bc541e21e46ac 192256 libs standard libldap-2.4-2_2.4.17-2.1_i386.deb
 d48fc813054024787c14cdc63231c967 302532 debug extra libldap-2.4-2-dbg_2.4.17-2.1_i386.deb
 b6853471021f5110c2a34cbe82521ae7 928716 libdevel extra libldap2-dev_2.4.17-2.1_i386.deb
 569522f3cf0f9e5bc3b69601f2cd7e82 3821058 debug extra slapd-dbg_2.4.17-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkr5vloACgkQNxpp46476ao3TQCdFdcKaHdNP8RFXT0glRPO57Fw
TS0An2jMxl1mTQWfRKdKbIimRj7m58Uz
=4Hno
-----END PGP SIGNATURE-----

Message #47 received at 553432-close@bugs.debian.org (full text, mbox, reply):

From: Matthijs Mohlmann <matthijs@cacholong.nl>

To: 553432-close@bugs.debian.org

Subject: Bug#553432: fixed in openldap 2.4.21-1

Date: Fri, 23 Apr 2010 19:32:28 +0000

Source: openldap
Source-Version: 2.4.21-1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive:

ldap-utils_2.4.21-1_amd64.deb
  to main/o/openldap/ldap-utils_2.4.21-1_amd64.deb
libldap-2.4-2-dbg_2.4.21-1_amd64.deb
  to main/o/openldap/libldap-2.4-2-dbg_2.4.21-1_amd64.deb
libldap-2.4-2_2.4.21-1_amd64.deb
  to main/o/openldap/libldap-2.4-2_2.4.21-1_amd64.deb
libldap2-dev_2.4.21-1_amd64.deb
  to main/o/openldap/libldap2-dev_2.4.21-1_amd64.deb
openldap_2.4.21-1.diff.gz
  to main/o/openldap/openldap_2.4.21-1.diff.gz
openldap_2.4.21-1.dsc
  to main/o/openldap/openldap_2.4.21-1.dsc
openldap_2.4.21.orig.tar.gz
  to main/o/openldap/openldap_2.4.21.orig.tar.gz
slapd-dbg_2.4.21-1_amd64.deb
  to main/o/openldap/slapd-dbg_2.4.21-1_amd64.deb
slapd-smbk5pwd_2.4.21-1_amd64.deb
  to main/o/openldap/slapd-smbk5pwd_2.4.21-1_amd64.deb
slapd_2.4.21-1_amd64.deb
  to main/o/openldap/slapd_2.4.21-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 553432@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthijs Mohlmann <matthijs@cacholong.nl> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Apr 2010 23:40:30 +0200
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.21-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Matthijs Mohlmann <matthijs@cacholong.nl>
Description: 
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 226090 231950 385898 443073 452834 465024 490930 502769 504728 510346 518657 518660 528695 549291 549642 553432 561144 563113 564686 575900
Changes: 
 openldap (2.4.21-1) unstable; urgency=low
 .
   [ Steve Langasek ]
   * New upstream version
     (Closes: #561144, #465024, #502769, #528695, #564686, #504728)
   * Add upstream manpage for ldapexop; thanks to Peter Marschall
     <peter@adpm.de>.  Closes: #549291.
 .
   [ Matthijs Mohlmann ]
   * Ack NMU (Closes: #553432)
   * Update Standards-Version to 3.8.4
   * Fix NEWS entry to have the correct version number
   * Improve the wording for the slapd/invalid_config question (Closes: #452834)
   * Make lintian a bit more happy (Closes: #518660)
   * Fix bashism (Closes: #518657)
   * Refresh all patches
   * Add patch from upstream (Closes: #549642)
   * Reworked the configure.options a bit to include some more options
   * Enable dynamic acls
   * Use slappasswd to create a secure password (Closes: #490930)
   * Set a rootdn and rootpw if no password is given by debconf (Closes: #231950)
   * Better document the TLSCipherSuite in slapd.conf manpage (Closes: #563113)
   * Better document the TLS_CIPHER_SUITE in ldap.conf manpage (Closes: #510346)
   * Add smbk5pwd slapd module, used patch from Mark Hymers (Closes: #443073)
   * Add autogroup slapd module, used patch from Mathieu Parent (Closes: #575900)
   * Add lsb logging, used patch from David Härdeman (Closes: #385898)
   * Use dh_lintian to install the lintian-overrides
   * Added critical error report when slapcat fails (Closes: #226090)
Checksums-Sha1: 
 cacc47d1d3e1f497a42c7f2d4a9737d0f3c5726a 1862 openldap_2.4.21-1.dsc
 8ae276ae3df3230106268ad8169a1b0a08bbc545 4714249 openldap_2.4.21.orig.tar.gz
 2f505cdc246e5aa7fe34679d10f2abb569ed6666 150990 openldap_2.4.21-1.diff.gz
 4a585e7d2711cf39670f04e93ade9b755a6a3976 1585160 slapd_2.4.21-1_amd64.deb
 7b2fa9975e01473ca792c60a1042b55d882d3ca2 56116 slapd-smbk5pwd_2.4.21-1_amd64.deb
 11d80f417d731b738ccfe27e8027745b5a653321 327632 ldap-utils_2.4.21-1_amd64.deb
 b965ff2c1fe23474e045affe31f10a01a765e00f 207368 libldap-2.4-2_2.4.21-1_amd64.deb
 bbfc56e1411084229b6367f3de3ae5d193a10a69 303498 libldap-2.4-2-dbg_2.4.21-1_amd64.deb
 88d32d11594c8167b77e47485da907c814b86b4d 908974 libldap2-dev_2.4.21-1_amd64.deb
 b91ed83b500c6b7f24382be1d0cff6e32c83c79e 3963684 slapd-dbg_2.4.21-1_amd64.deb
Checksums-Sha256: 
 56232c0a5f551b5074f16bd8368727e007866069896b1b90433d34a3fe440fd3 1862 openldap_2.4.21-1.dsc
 86f92f299cec257c6a721e4dd69a8f1c7257caae454c16e807f97a1c2caa029a 4714249 openldap_2.4.21.orig.tar.gz
 0523bfdb635d140124310b4efc4c50e3a0002ab289f93ee96636fbd8158a4a0d 150990 openldap_2.4.21-1.diff.gz
 e272f580471a851bcce5d54f01b131b6301fbc9276f92a288028cb3ad5f5ee43 1585160 slapd_2.4.21-1_amd64.deb
 f49d75ed42b117a7b5d107525bbc68bd58860ed5a50a7c8c403b18581c26fd12 56116 slapd-smbk5pwd_2.4.21-1_amd64.deb
 8e5dc0fd324389f7a1b51a31ce6b127563797ea9ac13342449e7403d37ea3845 327632 ldap-utils_2.4.21-1_amd64.deb
 1035872f19e03c1e8c23dc8469e9a62a621bd65e86361d6310f544573c2046e9 207368 libldap-2.4-2_2.4.21-1_amd64.deb
 97765ca48942b0b5ca82bd7caa09708358d6111bc3212f57ac7af3e728975257 303498 libldap-2.4-2-dbg_2.4.21-1_amd64.deb
 fb95448d1a4a6e5697c83d3e73c264034d39ee2c9e760188076227948677be9c 908974 libldap2-dev_2.4.21-1_amd64.deb
 7728a33af98bdca8de42849e97ce7fd2bcf63b9d21bd32b8befd537725ac760f 3963684 slapd-dbg_2.4.21-1_amd64.deb
Files: 
 2e2436bac8eac1eae8549191951e123f 1862 net optional openldap_2.4.21-1.dsc
 74320e5744d58116a618986be204b1bc 4714249 net optional openldap_2.4.21.orig.tar.gz
 eafb9eb02c83688ba5fb97c195f21846 150990 net optional openldap_2.4.21-1.diff.gz
 74856a387aceefac2d87d816ce2d8677 1585160 net optional slapd_2.4.21-1_amd64.deb
 5fde31a7da08b9351432139b7392a431 56116 net extra slapd-smbk5pwd_2.4.21-1_amd64.deb
 389285994f60a418a08c215de45e21d6 327632 net optional ldap-utils_2.4.21-1_amd64.deb
 e9b831f40bb3bcbb2f2fc258765926ad 207368 libs standard libldap-2.4-2_2.4.21-1_amd64.deb
 ca488f5aad11f1c090ed9d51a86ca421 303498 debug extra libldap-2.4-2-dbg_2.4.21-1_amd64.deb
 a66ff0d308a9202f00b6657669f3abc4 908974 libdevel extra libldap2-dev_2.4.21-1_amd64.deb
 42c8f8bbf7e0f839f1abe8c3c85b8e98 3963684 debug extra slapd-dbg_2.4.21-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkvR0A8ACgkQ2n1ROIkXqbD9mwCfVfQZsFs1fD1KT6TNATFYPt0Y
J2AAn3C9sNji1k3++RVWCFvIDxx6czgd
=TThi
-----END PGP SIGNATURE-----

Message #52 received at 553432-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: 553432-close@bugs.debian.org

Subject: Bug#553432: fixed in openldap 2.4.11-1+lenny1

Date: Thu, 18 Nov 2010 01:58:37 +0000

Source: openldap
Source-Version: 2.4.11-1+lenny1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive:

ldap-utils_2.4.11-1+lenny1_i386.deb
  to main/o/openldap/ldap-utils_2.4.11-1+lenny1_i386.deb
libldap-2.4-2-dbg_2.4.11-1+lenny1_i386.deb
  to main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_i386.deb
libldap-2.4-2_2.4.11-1+lenny1_i386.deb
  to main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_i386.deb
libldap2-dev_2.4.11-1+lenny1_i386.deb
  to main/o/openldap/libldap2-dev_2.4.11-1+lenny1_i386.deb
openldap_2.4.11-1+lenny1.diff.gz
  to main/o/openldap/openldap_2.4.11-1+lenny1.diff.gz
openldap_2.4.11-1+lenny1.dsc
  to main/o/openldap/openldap_2.4.11-1+lenny1.dsc
slapd-dbg_2.4.11-1+lenny1_i386.deb
  to main/o/openldap/slapd-dbg_2.4.11-1+lenny1_i386.deb
slapd_2.4.11-1+lenny1_i386.deb
  to main/o/openldap/slapd_2.4.11-1+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 553432@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 16 Nov 2009 17:37:17 +0100
Source: openldap
Binary: slapd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source i386
Version: 2.4.11-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
Closes: 553432
Changes: 
 openldap (2.4.11-1+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-3767: libraries/libldap/tls_o.c doesn't properly handle NULL
     character in subject Common Name (Closes: #553432)
Checksums-Sha1: 
 a19367278d150c9638d15ca38debea28422d36be 1831 openldap_2.4.11-1+lenny1.dsc
 bad27f34061482ba559609fadfad28976c4ca3ba 4193523 openldap_2.4.11.orig.tar.gz
 5a18ad3994400eb9073b571794e8ef18bafc373d 148075 openldap_2.4.11-1+lenny1.diff.gz
 da911938cf9194b47f0927804c57c792a8742cec 1404266 slapd_2.4.11-1+lenny1_i386.deb
 8ba3ee67202970a7d9acbd78b3e056f3561efc7c 244952 ldap-utils_2.4.11-1+lenny1_i386.deb
 d1ca32ce203911b7cf1fd61b6e8875261ff49531 189442 libldap-2.4-2_2.4.11-1+lenny1_i386.deb
 2b0f5be4bfc4423253b8d75b57cd9a0ab40acf9e 286808 libldap-2.4-2-dbg_2.4.11-1+lenny1_i386.deb
 d3ff60f034d00cbe058f6438d08c31033c49fbad 892068 libldap2-dev_2.4.11-1+lenny1_i386.deb
 abb4d38acac751ab54c7862e19c49a8ba7bca72e 3560322 slapd-dbg_2.4.11-1+lenny1_i386.deb
Checksums-Sha256: 
 ca7f1123040576e3ffce1179f358182978c5802e0b7f0c3f5b89da8999df2066 1831 openldap_2.4.11-1+lenny1.dsc
 8d5645e05f63555fd9dd4ec2a01ea9a3d7c4ac1e6b2e52d3b151ca9877eacd18 4193523 openldap_2.4.11.orig.tar.gz
 7cb6a4ae6d81aa8ba5e98edb485ae5546a66c0182bd0218c6785772ec6571201 148075 openldap_2.4.11-1+lenny1.diff.gz
 20aebfd73d02d3cf81ca9bfb964978cb79fd9fd5d0efb541e8e088073aaa9007 1404266 slapd_2.4.11-1+lenny1_i386.deb
 80078c43a99feeacc6c758780f485a516d94bf1e3422caa29191947c436f86cc 244952 ldap-utils_2.4.11-1+lenny1_i386.deb
 c7a6413f77b28b9eb702f5d13debb069b4fbda19a53ad6f0e7ca09927cdef5cf 189442 libldap-2.4-2_2.4.11-1+lenny1_i386.deb
 edc5a82e9621219eb66e3ab8c6b7e7f2b07257246e15bdb963769affaee3a856 286808 libldap-2.4-2-dbg_2.4.11-1+lenny1_i386.deb
 34009e2cbf50789e8910f0d0263ec6be037a5ed2c371ee1d489c353a626d5151 892068 libldap2-dev_2.4.11-1+lenny1_i386.deb
 9c91b0c2bad3fb0b6f638f454ce158f0e9fb30028c84ba0fb10f970960b7ddc0 3560322 slapd-dbg_2.4.11-1+lenny1_i386.deb
Files: 
 ca4cb86b4847a59f95275ff2f4d0e173 1831 net optional openldap_2.4.11-1+lenny1.dsc
 d4e8669e2c9b8d981e371e97e3cf92d9 4193523 net optional openldap_2.4.11.orig.tar.gz
 024b717169f42734ee5650ebe2978631 148075 net optional openldap_2.4.11-1+lenny1.diff.gz
 a3bffb93ec3b0d0d130a6a7e29091a9b 1404266 net optional slapd_2.4.11-1+lenny1_i386.deb
 5a5b31ebb9098059e62eb57d209a6846 244952 net optional ldap-utils_2.4.11-1+lenny1_i386.deb
 879dac84b581979646c49bde9743c630 189442 libs optional libldap-2.4-2_2.4.11-1+lenny1_i386.deb
 2dcb4f8e5514d9e4d9072b4853da322d 286808 libdevel extra libldap-2.4-2-dbg_2.4.11-1+lenny1_i386.deb
 449ba5d6037617e4e93dfd6bcb093549 892068 libdevel extra libldap2-dev_2.4.11-1+lenny1_i386.deb
 c6a6fbc66944bd05585c1065ab012c93 3560322 net extra slapd-dbg_2.4.11-1+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksOVnEACgkQNxpp46476arvjwCfbyyzwx+dNopAmNC6RQ2jhpjk
rvwAniRAFnwpaSG5qWJjl6Yzn/mDRnOG
=GPrp
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.