Debian Bug report logs -
#663644
[CVE-2012-1164] openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry
Reported by: Luciano Bello <luciano@debian.org>
Date: Mon, 12 Mar 2012 22:39:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security
Fixed in version openldap/2.4.31-1
Done: Steve Langasek <vorlon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
:
Bug#663644
; Package openldap
.
(Mon, 12 Mar 2012 22:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Luciano Bello <luciano@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
.
(Mon, 12 Mar 2012 22:39:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: openldap
Severity: grave
Tags: security patch
The following vulnerability had been reported against openssl:
http://www.openwall.com/lists/oss-security/2012/03/12/4
The upstream patch can be found in the report.
Please use CVE-2012-1164 for this issue.
Cheers,
/luciano
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
:
Bug#663644
; Package openldap
.
(Mon, 12 Mar 2012 22:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Quanah Gibson-Mount <quanah@zimbra.com>
:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
.
(Mon, 12 Mar 2012 22:54:03 GMT) (full text, mbox, link).
Message #10 received at 663644@bugs.debian.org (full text, mbox, reply):
--On Monday, March 12, 2012 11:34 PM +0100 Luciano Bello
<luciano@debian.org> wrote:
> Package: openldap
> Severity: grave
> Tags: security patch
>
> The following vulnerability had been reported against openssl:
I think you mean OpenLDAP. Note that you have to be using
slapo-translucent and slapo-rwm, which very few people do.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
Added tag(s) pending.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(Sun, 17 Jun 2012 02:21:06 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(Sun, 17 Jun 2012 02:21:09 GMT) (full text, mbox, link).
Reply sent
to Steve Langasek <vorlon@debian.org>
:
You have taken responsibility.
(Wed, 27 Jun 2012 16:09:11 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>
:
Bug acknowledged by developer.
(Wed, 27 Jun 2012 16:09:11 GMT) (full text, mbox, link).
Message #19 received at 663644-close@bugs.debian.org (full text, mbox, reply):
Source: openldap
Source-Version: 2.4.31-1
We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive:
ldap-utils_2.4.31-1_amd64.deb
to main/o/openldap/ldap-utils_2.4.31-1_amd64.deb
libldap-2.4-2-dbg_2.4.31-1_amd64.deb
to main/o/openldap/libldap-2.4-2-dbg_2.4.31-1_amd64.deb
libldap-2.4-2_2.4.31-1_amd64.deb
to main/o/openldap/libldap-2.4-2_2.4.31-1_amd64.deb
libldap2-dev_2.4.31-1_amd64.deb
to main/o/openldap/libldap2-dev_2.4.31-1_amd64.deb
openldap_2.4.31-1.diff.gz
to main/o/openldap/openldap_2.4.31-1.diff.gz
openldap_2.4.31-1.dsc
to main/o/openldap/openldap_2.4.31-1.dsc
openldap_2.4.31.orig.tar.gz
to main/o/openldap/openldap_2.4.31.orig.tar.gz
slapd-dbg_2.4.31-1_amd64.deb
to main/o/openldap/slapd-dbg_2.4.31-1_amd64.deb
slapd-smbk5pwd_2.4.31-1_amd64.deb
to main/o/openldap/slapd-smbk5pwd_2.4.31-1_amd64.deb
slapd_2.4.31-1_amd64.deb
to main/o/openldap/slapd_2.4.31-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 663644@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated openldap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 27 Jun 2012 03:27:34 +0000
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.31-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description:
ldap-utils - OpenLDAP utilities
libldap-2.4-2 - OpenLDAP libraries
libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
libldap2-dev - OpenLDAP development libraries
slapd - OpenLDAP server (slapd)
slapd-dbg - Debugging information for the OpenLDAP server (slapd)
slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 654824 662940 663644 663724 664930 666230 677158
Changes:
openldap (2.4.31-1) unstable; urgency=low
.
* New upstream release.
- Fixes a denial of service attack, CVE-2012-1164, when using the rwm
overlay. Closes: #663644.
- Fixes a bug with ldap_result always returning -1 when called from
sssd. Closes: #666230.
- Fix a build failure on armel due to unaligned memory access.
Closes: #677158.
* Incorporate NMU (thanks, Julien Cristau, Mattias Ellert):
- Disable the mdb backend on non-Linux, it looks like it doesn't work
with linuxthreads (closes: #654824).
- Backport fix for shell backend configuration. Closes: #662940.
.
[ Peter Marschall ]
* debian/slapd.scripts-common: avoid grep warnings
* debian/patches/heimdal-fix: fix arguments of
hdb_generate_key_set_password(). Closes: #664930
.
[ Steve Langasek ]
* debian/patches/contrib-modules-use-dpkg-buildflags: pass CFLAGS to
contrib builds. Thanks to Simon Ruderich <simon@ruderich.org>.
Closes: #663724.
Checksums-Sha1:
4b601e714d54b8fd4a2d42232a3a6b34ef69119c 2727 openldap_2.4.31-1.dsc
864e7b6ba54cc00ef5b834fd5b5739a7900dd6e3 4720612 openldap_2.4.31.orig.tar.gz
ba4ecf042e625a7b9e6ea03952b3ac2c654c79ad 159806 openldap_2.4.31-1.diff.gz
8d7a3b74150c351a747f3ef38de6e945f1959b90 1769626 slapd_2.4.31-1_amd64.deb
7e0d7657f67b7fa5c4f1fe732a9c5a72fb878edb 79702 slapd-smbk5pwd_2.4.31-1_amd64.deb
dc8e58302c5cebb9a115b7f413f63c0ebb4ca735 344062 ldap-utils_2.4.31-1_amd64.deb
96f718712dd7546b657e7a03d8dd2bc41f5232b7 242550 libldap-2.4-2_2.4.31-1_amd64.deb
a77827c8966cf0ab0c4b6cc4f8b3a4555beab294 473756 libldap-2.4-2-dbg_2.4.31-1_amd64.deb
409a7e9aa1081c87634f67bfee04b58dc1c24344 562880 libldap2-dev_2.4.31-1_amd64.deb
751d46bfba9b77b58de1126f16ca748e551d2019 5521900 slapd-dbg_2.4.31-1_amd64.deb
Checksums-Sha256:
f12274f5e803eb5bb3aa85547c055e88c69e74a416680766fcb40452200c5b33 2727 openldap_2.4.31-1.dsc
dff60c1044021217ab97a7bdda5a7016015f042db0fbfd566d52abb266d19239 4720612 openldap_2.4.31.orig.tar.gz
decb1b04b17b1407fed9a897745e5ff92ec3a093efaef4d1c40e9919e1a1525f 159806 openldap_2.4.31-1.diff.gz
fd5318d065bad47457c1f9bce7e0e8b0a91a297fe12ae11b73b78c3d6d2ea91b 1769626 slapd_2.4.31-1_amd64.deb
1bc96ae00d95f0f22d65017550eedad924e28e4d62fef9706f52f68ab53a15f0 79702 slapd-smbk5pwd_2.4.31-1_amd64.deb
0f1d702653c26ff07255c85665eab02e5465bd29dca0b06896bf213c1ef7b47f 344062 ldap-utils_2.4.31-1_amd64.deb
410815b85901f270b4e62d7a329d595d283ca693f5da9fc08603eb437a3255bc 242550 libldap-2.4-2_2.4.31-1_amd64.deb
1eda25c03aff02adb8b84dba4cfe1857d39f90dd1f083fc9bdef04b0720310cf 473756 libldap-2.4-2-dbg_2.4.31-1_amd64.deb
4a18c6c6c1a3af8d1274d56fab6278a6f4203f40a2ee411749ee35caf032e13b 562880 libldap2-dev_2.4.31-1_amd64.deb
eaf168dfc62807bf8c44fa66702b42389803cb2e4773db7a5b3f4d703ca590ac 5521900 slapd-dbg_2.4.31-1_amd64.deb
Files:
6cb66db1f40d1316ae793343f9447681 2727 net optional openldap_2.4.31-1.dsc
a8631b2202d8099143edb57e36b33dea 4720612 net optional openldap_2.4.31.orig.tar.gz
7a52da635a610b3edd4bd7d3bcc8b83a 159806 net optional openldap_2.4.31-1.diff.gz
7ff97ed3320cd0fee6cd8fa2ad7d1c49 1769626 net optional slapd_2.4.31-1_amd64.deb
5302a40211d991d983392f17e6747c1f 79702 net extra slapd-smbk5pwd_2.4.31-1_amd64.deb
0bae31e6c0a91f4170fe3eeb72cb9e71 344062 net optional ldap-utils_2.4.31-1_amd64.deb
6fa53812e33bfb49ebe3aef63f0d6caf 242550 libs standard libldap-2.4-2_2.4.31-1_amd64.deb
b5349ac800d1f980e19f04f595f9e9e7 473756 debug extra libldap-2.4-2-dbg_2.4.31-1_amd64.deb
46b209e618cad7d56578604ac8e24373 562880 libdevel extra libldap2-dev_2.4.31-1_amd64.deb
37be74142a30f8185fac163cd4fb4fdd 5521900 debug extra slapd-dbg_2.4.31-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJP6yyqAAoJEFaNMPMhshM93qUP/2JlWoEcZgz4NGPxCAiGwhL1
mscaroDMmF50Ia0xz9e+fUtLdfTNj7LlqIqHbUF/WiLMDfmRl4lxAy/5QWiMwHhe
6rH6Q8R2v8dT0lJ0mCrY0RvIRuBtCp+D1P798mpltA+Hmys/BQiU6GUhFktJip3M
v6J+fRG/wW4d1sU0vAusTDSHTOHh4TatluONUZClyA0uqrrIxtrv8TN+X+93uR9w
bB4XCOBPfzNTU5KotUk8DYf5/XZT1Dz7GfYEMWwnX/64XfTTOwkc8EO6CK/cUc/v
3Puz+4CMObBAo+LOX834F+1Z7r7O3Y58n2l8HdeRBPHETRAez+6Hi7G2qWlwfmMt
t80dfgWc1h8rFevYRnun61h+/rrMn7ttFLKtAb3V/icDwc5NzkBr/DNuk6s1Lx/T
cJED5esSN7l8xYJVdLz4b4teWf8OqaXCc/g7C5Y3sgxUh9Ul3/eVSggvWMnnyvDP
iMUpUJwhFIv7QdUohFyaPGhf/PKUEaF5cAFoVYMrqPgWcMgD+9Xjixb34Lr3eGXb
NzF90XH+X/IqFHflVIdL5Lh/K80fjaJzb8eua8ZXqUAXWz5A9bEz9GWphD8oC31R
JKD49Sl2Unk4Q+IRBJL3RL1r1bGt+ZyNNuRBh43d0nDPxYckD4+taz/lUAUtwQbI
ZuuTtrKW7V6bLXvMso1h
=iCS+
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
:
Bug#663644
; Package openldap
.
(Mon, 09 Jul 2012 02:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
.
(Mon, 09 Jul 2012 02:42:04 GMT) (full text, mbox, link).
Message #24 received at 663644@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/663644/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
:
Bug#663644
; Package openldap
.
(Mon, 09 Jul 2012 02:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
.
(Mon, 09 Jul 2012 02:42:06 GMT) (full text, mbox, link).
Message #29 received at 663644@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/663644/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 06 Aug 2012 07:30:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:38:12 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.