[CLA-2002:459] Conectiva Linux Security Announcement - openldap
Date: Mon, 28 Jan 2002 12:17:55 -0200
From: [email protected]
To: [email protected], [email protected],
Subject: [CLA-2002:459] Conectiva Linux Security Announcement - openldap
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : openldap
SUMMARY :
DATE : 2002-01-28 12:17:00
ID : CLA-2002:459
RELEVANT
RELEASES : 6.0, 7.0
- -------------------------------------------------------------------------
DESCRIPTION
OpenLDAP[1] is an LDAPv2 and LDAPv3 server available for several
platforms.
Thomas Fritz reported[3] a vulnerability in the ldap server which
could be exploited by remote attackers to delete attributes from an
object even if those attributes were protected by ACLs.
Authenticated users (in openldap versions 2.0.8 up to 2.0.19) could
issue a REPLACE command for an attribute where the new value is an
empty one, thus effectively removing the attribute if allowed by the
current schema, that is, if the attribute in question is not
mandatory. In versions prior to 2.0.8, anonymous users could do this
as well, regardless of ACLs protecting this attribute.
The OpenLDAP project has released[2] a new version to address this
vulnerability. OpenLDAP 1.2.x is not affected by this vulnerability,
only the specified 2.0.x releases.
SOLUTION
It is recommended that all OpenLDAP 2.0.x users upgrade their
packages. If the service is already running, the upgrade will
automatically restart it.
REFERENCES
1. http://www.openldap.org
2.
http://www.openldap.org/lists/openldap-announce/200201/msg00002.html
3. http://www.openldap.org/lists/openldap-bugs/200201/msg00049.html
4. http://www.securityfocus.com/bid/3945
DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openldap2-2.0.21-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-2.0.21-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-devel-2.0.21-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-tests-2.0.21-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openldap-2.0.21-1U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap-2.0.21-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap-client-2.0.21-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap-devel-2.0.21-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap-devel-static-2.0.21-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap-doc-2.0.21-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap-server-2.0.21-1U70_2cl.i386.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
(replace 6.0 with the correct version number if you are not running CL6.0)
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: [email protected]
unsubscribe: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8VV2S42jd0JmAcZARAvacAJ0Qf999SH6JW8Nkj0ETRaO9H/Bb4ACfRnkN
KZdyorbm6UavBkPVeSHxry4=
=6L8z
-----END PGP SIGNATURE-----
