[CVE-2012-1164] openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry

Debian Bug report logs - #663644
[CVE-2012-1164] openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: submit@bugs.debian.org

Subject: [CVE-2012-1164] openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry

Date: Mon, 12 Mar 2012 23:34:27 +0100

[Message part 1 (text/plain, inline)]

Package: openldap
Severity: grave
Tags: security patch

The following vulnerability had been reported against openssl: 
http://www.openwall.com/lists/oss-security/2012/03/12/4

The upstream patch can be found in the report.

Please use CVE-2012-1164 for this issue.

Cheers,
/luciano

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 663644@bugs.debian.org (full text, mbox, reply):

From: Quanah Gibson-Mount <quanah@zimbra.com>

To: Luciano Bello <luciano@debian.org>, 663644@bugs.debian.org

Subject: Re: [Pkg-openldap-devel] Bug#663644: [CVE-2012-1164] openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry

Date: Mon, 12 Mar 2012 15:45:45 -0700

--On Monday, March 12, 2012 11:34 PM +0100 Luciano Bello 
<luciano@debian.org> wrote:

> Package: openldap
> Severity: grave
> Tags: security patch
>
> The following vulnerability had been reported against openssl:

I think you mean OpenLDAP.  Note that you have to be using 
slapo-translucent and slapo-rwm, which very few people do.

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Message #19 received at 663644-close@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 663644-close@bugs.debian.org

Subject: Bug#663644: fixed in openldap 2.4.31-1

Date: Wed, 27 Jun 2012 16:05:33 +0000

Source: openldap
Source-Version: 2.4.31-1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive:

ldap-utils_2.4.31-1_amd64.deb
  to main/o/openldap/ldap-utils_2.4.31-1_amd64.deb
libldap-2.4-2-dbg_2.4.31-1_amd64.deb
  to main/o/openldap/libldap-2.4-2-dbg_2.4.31-1_amd64.deb
libldap-2.4-2_2.4.31-1_amd64.deb
  to main/o/openldap/libldap-2.4-2_2.4.31-1_amd64.deb
libldap2-dev_2.4.31-1_amd64.deb
  to main/o/openldap/libldap2-dev_2.4.31-1_amd64.deb
openldap_2.4.31-1.diff.gz
  to main/o/openldap/openldap_2.4.31-1.diff.gz
openldap_2.4.31-1.dsc
  to main/o/openldap/openldap_2.4.31-1.dsc
openldap_2.4.31.orig.tar.gz
  to main/o/openldap/openldap_2.4.31.orig.tar.gz
slapd-dbg_2.4.31-1_amd64.deb
  to main/o/openldap/slapd-dbg_2.4.31-1_amd64.deb
slapd-smbk5pwd_2.4.31-1_amd64.deb
  to main/o/openldap/slapd-smbk5pwd_2.4.31-1_amd64.deb
slapd_2.4.31-1_amd64.deb
  to main/o/openldap/slapd_2.4.31-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 663644@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 27 Jun 2012 03:27:34 +0000
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.31-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 654824 662940 663644 663724 664930 666230 677158
Changes: 
 openldap (2.4.31-1) unstable; urgency=low
 .
   * New upstream release.
     - Fixes a denial of service attack, CVE-2012-1164, when using the rwm
       overlay.  Closes: #663644.
     - Fixes a bug with ldap_result always returning -1 when called from
       sssd.  Closes: #666230.
     - Fix a build failure on armel due to unaligned memory access.
       Closes: #677158.
   * Incorporate NMU (thanks, Julien Cristau, Mattias Ellert):
     - Disable the mdb backend on non-Linux, it looks like it doesn't work
       with linuxthreads (closes: #654824).
     - Backport fix for shell backend configuration.  Closes: #662940.
 .
   [ Peter Marschall ]
   * debian/slapd.scripts-common: avoid grep warnings
   * debian/patches/heimdal-fix: fix arguments of
     hdb_generate_key_set_password().  Closes: #664930
 .
   [ Steve Langasek ]
   * debian/patches/contrib-modules-use-dpkg-buildflags: pass CFLAGS to
     contrib builds.  Thanks to Simon Ruderich <simon@ruderich.org>.
     Closes: #663724.
Checksums-Sha1: 
 4b601e714d54b8fd4a2d42232a3a6b34ef69119c 2727 openldap_2.4.31-1.dsc
 864e7b6ba54cc00ef5b834fd5b5739a7900dd6e3 4720612 openldap_2.4.31.orig.tar.gz
 ba4ecf042e625a7b9e6ea03952b3ac2c654c79ad 159806 openldap_2.4.31-1.diff.gz
 8d7a3b74150c351a747f3ef38de6e945f1959b90 1769626 slapd_2.4.31-1_amd64.deb
 7e0d7657f67b7fa5c4f1fe732a9c5a72fb878edb 79702 slapd-smbk5pwd_2.4.31-1_amd64.deb
 dc8e58302c5cebb9a115b7f413f63c0ebb4ca735 344062 ldap-utils_2.4.31-1_amd64.deb
 96f718712dd7546b657e7a03d8dd2bc41f5232b7 242550 libldap-2.4-2_2.4.31-1_amd64.deb
 a77827c8966cf0ab0c4b6cc4f8b3a4555beab294 473756 libldap-2.4-2-dbg_2.4.31-1_amd64.deb
 409a7e9aa1081c87634f67bfee04b58dc1c24344 562880 libldap2-dev_2.4.31-1_amd64.deb
 751d46bfba9b77b58de1126f16ca748e551d2019 5521900 slapd-dbg_2.4.31-1_amd64.deb
Checksums-Sha256: 
 f12274f5e803eb5bb3aa85547c055e88c69e74a416680766fcb40452200c5b33 2727 openldap_2.4.31-1.dsc
 dff60c1044021217ab97a7bdda5a7016015f042db0fbfd566d52abb266d19239 4720612 openldap_2.4.31.orig.tar.gz
 decb1b04b17b1407fed9a897745e5ff92ec3a093efaef4d1c40e9919e1a1525f 159806 openldap_2.4.31-1.diff.gz
 fd5318d065bad47457c1f9bce7e0e8b0a91a297fe12ae11b73b78c3d6d2ea91b 1769626 slapd_2.4.31-1_amd64.deb
 1bc96ae00d95f0f22d65017550eedad924e28e4d62fef9706f52f68ab53a15f0 79702 slapd-smbk5pwd_2.4.31-1_amd64.deb
 0f1d702653c26ff07255c85665eab02e5465bd29dca0b06896bf213c1ef7b47f 344062 ldap-utils_2.4.31-1_amd64.deb
 410815b85901f270b4e62d7a329d595d283ca693f5da9fc08603eb437a3255bc 242550 libldap-2.4-2_2.4.31-1_amd64.deb
 1eda25c03aff02adb8b84dba4cfe1857d39f90dd1f083fc9bdef04b0720310cf 473756 libldap-2.4-2-dbg_2.4.31-1_amd64.deb
 4a18c6c6c1a3af8d1274d56fab6278a6f4203f40a2ee411749ee35caf032e13b 562880 libldap2-dev_2.4.31-1_amd64.deb
 eaf168dfc62807bf8c44fa66702b42389803cb2e4773db7a5b3f4d703ca590ac 5521900 slapd-dbg_2.4.31-1_amd64.deb
Files: 
 6cb66db1f40d1316ae793343f9447681 2727 net optional openldap_2.4.31-1.dsc
 a8631b2202d8099143edb57e36b33dea 4720612 net optional openldap_2.4.31.orig.tar.gz
 7a52da635a610b3edd4bd7d3bcc8b83a 159806 net optional openldap_2.4.31-1.diff.gz
 7ff97ed3320cd0fee6cd8fa2ad7d1c49 1769626 net optional slapd_2.4.31-1_amd64.deb
 5302a40211d991d983392f17e6747c1f 79702 net extra slapd-smbk5pwd_2.4.31-1_amd64.deb
 0bae31e6c0a91f4170fe3eeb72cb9e71 344062 net optional ldap-utils_2.4.31-1_amd64.deb
 6fa53812e33bfb49ebe3aef63f0d6caf 242550 libs standard libldap-2.4-2_2.4.31-1_amd64.deb
 b5349ac800d1f980e19f04f595f9e9e7 473756 debug extra libldap-2.4-2-dbg_2.4.31-1_amd64.deb
 46b209e618cad7d56578604ac8e24373 562880 libdevel extra libldap2-dev_2.4.31-1_amd64.deb
 37be74142a30f8185fac163cd4fb4fdd 5521900 debug extra slapd-dbg_2.4.31-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJP6yyqAAoJEFaNMPMhshM93qUP/2JlWoEcZgz4NGPxCAiGwhL1
mscaroDMmF50Ia0xz9e+fUtLdfTNj7LlqIqHbUF/WiLMDfmRl4lxAy/5QWiMwHhe
6rH6Q8R2v8dT0lJ0mCrY0RvIRuBtCp+D1P798mpltA+Hmys/BQiU6GUhFktJip3M
v6J+fRG/wW4d1sU0vAusTDSHTOHh4TatluONUZClyA0uqrrIxtrv8TN+X+93uR9w
bB4XCOBPfzNTU5KotUk8DYf5/XZT1Dz7GfYEMWwnX/64XfTTOwkc8EO6CK/cUc/v
3Puz+4CMObBAo+LOX834F+1Z7r7O3Y58n2l8HdeRBPHETRAez+6Hi7G2qWlwfmMt
t80dfgWc1h8rFevYRnun61h+/rrMn7ttFLKtAb3V/icDwc5NzkBr/DNuk6s1Lx/T
cJED5esSN7l8xYJVdLz4b4teWf8OqaXCc/g7C5Y3sgxUh9Ul3/eVSggvWMnnyvDP
iMUpUJwhFIv7QdUohFyaPGhf/PKUEaF5cAFoVYMrqPgWcMgD+9Xjixb34Lr3eGXb
NzF90XH+X/IqFHflVIdL5Lh/K80fjaJzb8eua8ZXqUAXWz5A9bEz9GWphD8oC31R
JKD49Sl2Unk4Q+IRBJL3RL1r1bGt+ZyNNuRBh43d0nDPxYckD4+taz/lUAUtwQbI
ZuuTtrKW7V6bLXvMso1h
=iCS+
-----END PGP SIGNATURE-----

Message #24 received at 663644@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 663644@bugs.debian.org

Subject: Re: [CVE-2012-1164] openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry

Date: Sun, 08 Jul 2012 17:38:36 -0000

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/663644/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Message #29 received at 663644@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 663644@bugs.debian.org

Subject: Re: [CVE-2012-1164] openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry

Date: Sun, 08 Jul 2012 15:24:55 -0000

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/663644/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.