openldap: CVE-2019-13565

Debian Bug report logs - #932998
openldap: CVE-2019-13565

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openldap: CVE-2019-13565

Date: Thu, 25 Jul 2019 19:12:36 +0200

Source: openldap
Version: 2.4.47+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://openldap.org/its/?findid=9052

Hi,

The following vulnerability was published for openldap, filling for
tracking.

CVE-2019-13565[0]:
|openldap: ACL protections get lost if same identity uses different SSF
|levels

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-13565
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13565
[1] https://openldap.org/its/?findid=9052

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 932998-close@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: 932998-close@bugs.debian.org

Subject: Bug#932998: fixed in openldap 2.4.48+dfsg-1

Date: Thu, 25 Jul 2019 20:46:24 +0000

Source: openldap
Source-Version: 2.4.48+dfsg-1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 932998@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryan Tandy <ryan@nardis.ca> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 25 Jul 2019 08:32:00 -0700
Source: openldap
Architecture: source
Version: 2.4.48+dfsg-1
Distribution: sid
Urgency: medium
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Ryan Tandy <ryan@nardis.ca>
Closes: 880656 926657 932270 932997 932998
Changes:
 openldap (2.4.48+dfsg-1) unstable; urgency=medium
 .
   * New upstream release.
     - fixed slapd to restrict rootDN proxyauthz to its own databases
       (CVE-2019-13057) (ITS#9038) (Closes: #932997)
     - fixed slapd to enforce sasl_ssf ACL statement on every connection
       (CVE-2019-13565) (ITS#9052) (Closes: #932998)
     - added new openldap.h header with OpenLDAP specific libldap interfaces
       (ITS#8671)
     - updated lastbind overlay to support forwarding authTimestamp updates
       (ITS#7721) (Closes: #880656)
   * Update Standards-Version to 4.4.0.
   * Add a systemd drop-in to set RemainAfterExit=no on the slapd service, so
     that systemd marks the service as dead after it crashes or is killed.
     Thanks to Heitor Alves de Siqueira. (Closes: #926657, LP: #1821343)
   * Use more entropy for generating a random admin password, if none was set
     during initial configuration. Thanks to Judicael Courant.
     (Closes: #932270)
   * Replace debian/rules calls to dpkg-architecture and dpkg-parsechangelog
     with variables provided by dpkg-dev includes.
   * Declare R³: no.
   * Create a simple autopkgtest that tests installing slapd and connecting to
     it with an ldap tool.
   * Install the new openldap.h header in libldap2-dev.
Checksums-Sha1:
 c54c0cdcb44a64f3fe8810bd8be7d4b21aaf6209 2879 openldap_2.4.48+dfsg-1.dsc
 88c4972417c09062b46055eaa9a372ea5f3d22a6 4875429 openldap_2.4.48+dfsg.orig.tar.gz
 1da12cf9c7d67898655910a10a085e95cbb0d18c 166116 openldap_2.4.48+dfsg-1.debian.tar.xz
Checksums-Sha256:
 b227535c79454100aac32e526b0f4e2730f05087f0e9ffd4a78f35d81b012e66 2879 openldap_2.4.48+dfsg-1.dsc
 8645601c28f094b01baed02a604479b175a45ba010e407212d214313bc6a80ba 4875429 openldap_2.4.48+dfsg.orig.tar.gz
 bdd3e8ac25748be6a8f248d787aff9ad591e0d3ea0b3e176a5cd54f11dc8e90e 166116 openldap_2.4.48+dfsg-1.debian.tar.xz
Files:
 7c5887ad6e9b4517b1be78ac7d1eabde 2879 net optional openldap_2.4.48+dfsg-1.dsc
 c97a336099ff37c4351933f026411134 4875429 net optional openldap_2.4.48+dfsg.orig.tar.gz
 29a4bb238d5b438f1fe3ae487eb66d16 166116 net optional openldap_2.4.48+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEPSfh0nqdQTd5kOFlIp/PEvXWa7YFAl056k4PHHJ5YW5AbmFy
ZGlzLmNhAAoJECKfzxL11mu2E1sP/0F1lrL7eSRvLXQlAbtNG76cLyazun5VLEK6
iRO69XKZS8VHa7ne4i6Fira0OoAxjGznnvXBGtXm0+kJOtvvWig2pKJgXNmaT1A0
MBAWjULmZ9RS0LW10tydC2wMUeRb0aapjr6Z/D7pP8T6v6y5PqTxU2hoHziH5ysw
XrIzbbFc64dpQUJ8lmqMfUOZ2ZV5nMmKgJe9EsgVvTDexyQm07KN9z5ZuVNLF9dw
Uuo8zRohA6KyCiVOuY+OgQAslCMNyRo8Z/REPX9wb50XW7EnquZ1De+ce0UJA/rF
u+5YRw/z08+2TD0s4vsieV0tH0XxcCTyvR1YEbUlaZdpvj9WedG03BD6ZfUb+2wt
Z08kCVGzlqNWCggUfIkCB9CWq2ogua1zKZS4rNUqLIRGFh/PIf+6fx44ec/ajRWE
xP6GO+A0oVBxlbHBdKUm+aomWBX4HAdaZ+WnGbAndNtGK4aFzIkL9KR5PJuF8t8x
9EYDeKqqsv4GXvf05Lt8ZZWXGquEvrf99b+q0n1ETYGwdMG/CrdE6gWMki4m7+zW
E/py0yEYkQdJfRlaN0neDc0OwJWWCQDx+eFfXQC0XKLYeftigpsYRrFhnV0DwcB2
2JSR3E/AEYDbexR6djJd566kEV2EXgJqON8BgtReGwcZ9wvWH1OnxCYDAm6ELs9H
0hVw9UJs
=bFlc
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.