Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

openldap: CVE-2013-4449

Related Vulnerabilities: CVE-2013-4449  

Source

Debian Bug report logs - #729367
openldap: CVE-2013-4449

version graph

Package: openldap; Maintainer for openldap is Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 12 Nov 2013 12:06:02 UTC

Severity: important

Tags: patch, security

Found in version 2.4.31-1+nmu2

Fixed in version openldap/2.4.39-1.1

Done: Michael Gilbert <mgilbert@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://www.openldap.org/its/?findid=7723

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#729367; Package openldap. (Tue, 12 Nov 2013 12:06:07 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Tue, 12 Nov 2013 12:06:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openldap: CVE-2013-4449
Date: Tue, 12 Nov 2013 12:56:52 +0100
Package: openldap
Severity: important
Tags: security

This was assigned CVE-2013-4449:
http://www.openldap.org/its/index.cgi/Incoming?id=7723
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4449

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#729367; Package openldap. (Sat, 22 Feb 2014 16:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Hideki Yamane <henrich@debian.or.jp>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Sat, 22 Feb 2014 16:15:04 GMT) (full text, mbox, link).

Message #10 received at 729367@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.or.jp>
To: 729367@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: openldap: CVE-2013-4449
Date: Sun, 23 Feb 2014 01:10:57 +0900
[Message part 1 (text/plain, inline)]
Control: tag -1 +patch

Hi,

 I've taken the patch from RHEL for this issue, and can build it.
 Upstream doesn't apply it yet, I'm not sure why, but it's worth to
 check, IMO.

-- 
Regards,

 Hideki Yamane     henrich @ debian.or.jp/org
 http://wiki.debian.org/HidekiYamane

[openldap.diff (text/x-diff, attachment)]

Added tag(s) patch. Request was from Hideki Yamane <henrich@debian.or.jp> to 729367-submit@bugs.debian.org. (Sat, 22 Feb 2014 16:15:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#729367; Package openldap. (Sun, 06 Apr 2014 00:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Ryan Tandy <ryan@nardis.ca>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Sun, 06 Apr 2014 00:27:04 GMT) (full text, mbox, link).

Message #17 received at 729367@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>
To: Hideki Yamane <henrich@debian.or.jp>
Cc: 729367@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Re: openldap: CVE-2013-4449
Date: Sat, 05 Apr 2014 17:23:28 -0700
On 22/02/14 08:10 AM, Hideki Yamane wrote:
>   I've taken the patch from RHEL for this issue, and can build it.
>   Upstream doesn't apply it yet, I'm not sure why, but it's worth to
>   check, IMO.

Upstream have applied the patch recently to their 2.4 and 2.5 branches.

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=924389d9dd9dbb6ffe5db6c0fc65ecfe6814a1af

Your patch still applies (besides the changelog) to 2.4.39-1 and builds
successfully.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#729367; Package openldap. (Tue, 08 Apr 2014 17:24:04 GMT) (full text, mbox, link).

Acknowledgement sent to Ryan Tandy <ryan@nardis.ca>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Tue, 08 Apr 2014 17:24:04 GMT) (full text, mbox, link).

Message #22 received at 729367@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>
To: Hideki Yamane <henrich@debian.or.jp>
Cc: 729367@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, control@bugs.debian.org
Subject: Re: Re: openldap: CVE-2013-4449
Date: Tue, 8 Apr 2014 10:20:54 -0700
tags 729367 + pending
thanks

Reproduced in openldap 2.4.39-1 using Jan Synacek's test case:
http://jsynacek.fedorapeople.org/openldap/its7723/reproducer/

Verified that this patch fixes the bug, committed to git.

Added tag(s) pending. Request was from Ryan Tandy <ryan@nardis.ca> to control@bugs.debian.org. (Tue, 08 Apr 2014 17:24:07 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'http://www.openldap.org/its/?findid=7723'. Request was from Ryan Tandy <ryan@nardis.ca> to control@bugs.debian.org. (Wed, 07 May 2014 17:57:21 GMT) (full text, mbox, link).

Marked as found in versions 2.4.31-1+nmu2. Request was from Ryan Tandy <ryan@nardis.ca> to control@bugs.debian.org. (Tue, 20 May 2014 18:09:16 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#729367; Package openldap. (Sun, 10 Aug 2014 20:03:09 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Sun, 10 Aug 2014 20:03:09 GMT) (full text, mbox, link).

Message #33 received at 729367@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>
To: 729367@bugs.debian.org
Subject: re: openldap: CVE-2013-4449
Date: Sun, 10 Aug 2014 16:00:53 -0400
[Message part 1 (text/plain, inline)]
control: tag -1 pending

Hi,

I've uploaded a package fixing this issue to delayed/5.  Please see
attached patch.

Best wishes,
Mike

[openldap.patch (text/x-patch, attachment)]

Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Fri, 15 Aug 2014 21:48:05 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Fri, 15 Aug 2014 21:48:05 GMT) (full text, mbox, link).

Message #38 received at 729367-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>
To: 729367-close@bugs.debian.org
Subject: Bug#729367: fixed in openldap 2.4.39-1.1
Date: Fri, 15 Aug 2014 21:45:32 +0000
Source: openldap
Source-Version: 2.4.39-1.1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 729367@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 09 Aug 2014 09:26:51 +0000
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.39-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 729367
Changes:
 openldap (2.4.39-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2013-4449: reference counting logic issue (closes: #729367).
Checksums-Sha1:
 894591276f730e6a71f8a5203fe1ecc2dcfb9b39 3451 openldap_2.4.39-1.1.dsc
 80e82ecd123e6cb401cfd0e546ef660b62443256 158462 openldap_2.4.39-1.1.diff.gz
 10f247107c9c7afac3093c19f5196bcb77de40b0 1391784 slapd_2.4.39-1.1_amd64.deb
 ac0cd08d5308db06cd43ed69c0c6d711fb97dddd 79836 slapd-smbk5pwd_2.4.39-1.1_amd64.deb
 94306c6c0e54ec4b4157b65a930734af68394711 185386 ldap-utils_2.4.39-1.1_amd64.deb
 a840db3d65821b21fd2bcc1c4fdce2a5557afa88 211920 libldap-2.4-2_2.4.39-1.1_amd64.deb
 a05aad76e8fe441f5a6bfe6d89ba65a3df79f0be 435486 libldap-2.4-2-dbg_2.4.39-1.1_amd64.deb
 9c4e75905aa73b2cc74fb8f009224d70b7a3399f 317574 libldap2-dev_2.4.39-1.1_amd64.deb
 6a9edf4ad38e26f9e14e06eb06defee9f9df3e77 4834094 slapd-dbg_2.4.39-1.1_amd64.deb
Checksums-Sha256:
 5497bdd0bc38dc68cd953a0448655ab150075a33381849b74cc7bbcffe138988 3451 openldap_2.4.39-1.1.dsc
 652851a1e38caae14c953386c56440cd408db6659fea822602a2455d97823f11 158462 openldap_2.4.39-1.1.diff.gz
 f2943e2f7348d72b4d1288448dd261012d36d39549282ddde47b48eebc195ce3 1391784 slapd_2.4.39-1.1_amd64.deb
 6e18fd510937ad4ba8ea0cfff860a4b5e35c3f0749ddf28d7b580829063a703c 79836 slapd-smbk5pwd_2.4.39-1.1_amd64.deb
 86c6364fb6a9308968ef4ffb7d5c4ae4ed639556ce765598b7c9222becabd146 185386 ldap-utils_2.4.39-1.1_amd64.deb
 f3b932b5a283827f1ebd3a3be77d3a36db2d951e0949c42f7e01226eeac1b8b6 211920 libldap-2.4-2_2.4.39-1.1_amd64.deb
 427f5d8971a0bdb0f15f7c35a204ef4be573cebaf4e0ea0c82fef20ebd2e82f7 435486 libldap-2.4-2-dbg_2.4.39-1.1_amd64.deb
 0706a77b4c4df9809165d7d2d2455b2e82a2a597835fca6a72108bbff3a68d90 317574 libldap2-dev_2.4.39-1.1_amd64.deb
 64c25f030b26746c2a0e280a394059258d675826276fae9d09818f03108abcb8 4834094 slapd-dbg_2.4.39-1.1_amd64.deb
Files:
 7b104f3b5cb8ce484c88e3abdf4c1255 1391784 net optional slapd_2.4.39-1.1_amd64.deb
 2b0f95d76fd1b0cee2b6d3aec22e37f2 79836 net extra slapd-smbk5pwd_2.4.39-1.1_amd64.deb
 ee35631e6fec675ebadf3d3401ec9724 185386 net optional ldap-utils_2.4.39-1.1_amd64.deb
 0a9f30cc5005f6902998650ba986509b 211920 libs standard libldap-2.4-2_2.4.39-1.1_amd64.deb
 f5503fa79f1ecb7b92d8607590e3371f 435486 debug extra libldap-2.4-2-dbg_2.4.39-1.1_amd64.deb
 b308383f49404819edfb31c60d93f53d 317574 libdevel extra libldap2-dev_2.4.39-1.1_amd64.deb
 89aab22ac2ff99bcbaa839e690afdcea 4834094 debug extra slapd-dbg_2.4.39-1.1_amd64.deb
 cc1d1dd613d462cb48241b7c9009e025 3451 net optional openldap_2.4.39-1.1.dsc
 ea91534413e2eb88f0da270f83eac27a 158462 net optional openldap_2.4.39-1.1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQQcBAEBCgAGBQJT588hAAoJELjWss0C1vRzlLAf/RBZQWTN8K46zPKxc1DwBwVg
8QoVzrXz/xlBBY9Z1NXeMBoGLQt/odrSPn7g2xyvOrvlL53zydrVHkNNpehDzy1e
F0sbvap+rHzGcu9+SRJPwnSqi0kYadqpclxYiWCWZC2qeeUuCRRIIK0FSFLntLPg
A+sPwM5LIVhXOll4pj0ZryyLkiGABgULCeg+qWknk7mdkWf9iI3MOV9091qsaCqB
xiW+9XYJa3kPXisooibKeDYNPaClxMh6/MlMGmaMA3I2NmkBQl+UheSdOmiwpyW/
vL1arNeH3lG75qZyU+0+UMQu+PT7r0X1ab8LLC4KVpv7r4oOeL3ttN/RvjENYjhX
c4zDnDIFEkNEMBFOitCy0Uc3c207Twv2nIv+lFJHHqA3U+lM1ZDz6VG7a+K0lUVq
oXTHghghQPb4XKHRlmt3YVxQSxxxi2vI0ADZd6fT4JjaDuB/POqQ5kSuprC4o5De
6C1RXFSKUuo4919gQLblNnRsEoSrKLPwSGTz/IY6zeqs9SmexwZ+QHcfX2pgpZW8
cSqT8aggPpQ9W8MxkzpxyH37UzRj0EDZ8CKlxMV52P9Rkg+zmCA4FkP4ToyVY9zd
dqvM8aD108eeSBdI0JWByn4Z7CnlrYXRLeAoo48KSfrhn+E1qV97QKugUIs9baw9
+ybduK1nfCE8Gj2YWvusQmgkVnJp0CwHATS8gQj3nOVeoCgKcrmdNBve61BT2ZY5
97qLl/Fd/YIEWuPiO0v/YuVHFj6wehfcBO9iej4yGhMpUdWKksV0d+4zvpn/uMl3
TcwFRZyFf0UAl2resV6CfgtSZu5l77tuhjRLhDF2dbPUP7xRljG91fxFvUyAtnKW
k2BRxTdiigyepEk/nSW57QO3u3s8H6ZBqJOH7veJRSd1X5ZYbz4do38d+IgUGyJh
wSEyY1WnVw7vuragSOMnosjFJMiwuzMyLxx7liFQNce7Zzqz5eYE/T7KYtV4BIg3
a3ktwa9BQ9+/4pG9yZQed+blGzKdyBWazJFEWkYiqXmYogxgZENgM3ExXVjSUghc
ycIiy+Jn8lbEsQ7gaYIXS+V7DMEbL9xVBTFlXrHMKJPr+HNVdaQiHi+uauyw3W30
rNF9ZQYIW/Mc7IgOXyeSmkPnexB9EIDjgvzSa7K9dBdufndq4yduRDLgC91WYu+M
MZf/qs1LOxfM/97YGsctGnw3VO+MDskEl5je92kUVGNcIBVRUec24wLTks/i1sBO
2xo5KvsBk9VzCZAPWIzDimAcy5DyHOq1URRXx2Lk5mECf2Vrcrmz+c71yi3S6J1B
VxxEfbCgXHGQm1+VqsBjW2Odp63nGFMz3zAR+OGP4hvlXioMGF3sZ4VPYysymgg=
=bffs
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 23 Sep 2014 07:37:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:46:30 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started