Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0930 -- [RedHat]
Moderate: openldap security and enhancement update
16 November 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openldap
Publisher: Red Hat
Operating System: Red Hat Linux 4
Impact: Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2007-5707
Ref: AA-2007.0093
ESB-2007.0892
Original Bulletin: https://rhn.redhat.com/errata/RHSA-2007-1038.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ---------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Moderate: openldap security and enhancement update
Advisory ID: RHSA-2007:1038-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-1038.html
Issue date: 2007-11-15
Updated on: 2007-11-15
Product: Red Hat Enterprise Linux
CVE Names: CVE-2007-5707
- - ---------------------------------------------------------------------
1. Summary:
Updated openldap packages that fix a security flaw are now available for
Red Hat Enterprise Linux 4.
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
3. Problem description:
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools.
A flaw was found in the way OpenLDAP's slapd daemon handled malformed
objectClasses LDAP attributes. An authenticated local or remote attacker
could create an LDAP request which could cause a denial of service by
crashing slapd. (CVE-2007-5707)
In addition, the following feature was added:
* OpenLDAP client tools now have new option to configure their bind timeout.
All users are advised to upgrade to these updated openldap packages, which
contain a backported patch to correct this issue and provide this security
enhancement.
4. Solution:
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188
5. Bug IDs fixed (http://bugzilla.redhat.com/):
359851 - CVE-2007-5707 openldap slapd DoS via objectClasses attribute
6. RPMs required:
Red Hat Enterprise Linux AS version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/openldap-2.2.13-8.el4_6.1.src.rpm
d83f67fe727e11d6cf1160b024b1f9a2 openldap-2.2.13-8.el4_6.1.src.rpm
i386:
b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm
219c613cf348abaaebc4c4f9f018ed9d openldap-clients-2.2.13-8.el4_6.1.i386.rpm
3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
7f40d96252d441fe7614a9beef25e0af openldap-devel-2.2.13-8.el4_6.1.i386.rpm
4c19ad7c8b3adc537463852e1eba0233 openldap-servers-2.2.13-8.el4_6.1.i386.rpm
66e950a723214043bbe5b214b6bae217 openldap-servers-sql-2.2.13-8.el4_6.1.i386.rpm
ia64:
b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6b8aaa38dfbca517ebc8c2eeab072225 compat-openldap-2.1.30-8.el4_6.1.ia64.rpm
6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm
e48a6a25b291ebe73a1e500a51d5752c openldap-2.2.13-8.el4_6.1.ia64.rpm
42ab2e4a1af25c108f86b231af51321d openldap-clients-2.2.13-8.el4_6.1.ia64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
f016210f44503358b516cca1e9602042 openldap-debuginfo-2.2.13-8.el4_6.1.ia64.rpm
ebdf2edb9e264227f5877905afef97ee openldap-devel-2.2.13-8.el4_6.1.ia64.rpm
817e4e1f9963c90506ec40817cb9a311 openldap-servers-2.2.13-8.el4_6.1.ia64.rpm
3a85b2d97f872c32929a36379b09ac65 openldap-servers-sql-2.2.13-8.el4_6.1.ia64.rpm
ppc:
15008c36556193ddd7107d59f319f706 compat-openldap-2.1.30-8.el4_6.1.ppc.rpm
0934b07a1e5daef1715a5905fb3298ff compat-openldap-2.1.30-8.el4_6.1.ppc64.rpm
8ea26adb6a6c9c8d993f69d06e0c13b8 openldap-2.2.13-8.el4_6.1.ppc.rpm
dc6666f0c29108215a50e3042ec3f1f6 openldap-2.2.13-8.el4_6.1.ppc64.rpm
63be6242af95535f973448e04be6001c openldap-clients-2.2.13-8.el4_6.1.ppc.rpm
7f3c6b841561748c440c9d5594ab10bb openldap-debuginfo-2.2.13-8.el4_6.1.ppc.rpm
d70cd5cb7911fc0fef4c2ec82e450c11 openldap-debuginfo-2.2.13-8.el4_6.1.ppc64.rpm
62ed6b0c6972a93067b0ae7b5050fde1 openldap-devel-2.2.13-8.el4_6.1.ppc.rpm
addded6b3675c6fbd1fff79de7c9fd7a openldap-servers-2.2.13-8.el4_6.1.ppc.rpm
86611366034b049e10e31120f23071ea openldap-servers-sql-2.2.13-8.el4_6.1.ppc.rpm
s390:
d10bae9f186810046b7c1f303d2b5275 compat-openldap-2.1.30-8.el4_6.1.s390.rpm
f6a5eb8f946114440c247a61ff3d39ad openldap-2.2.13-8.el4_6.1.s390.rpm
19cd9d96abfaf4ae90c7c5c56d1963c5 openldap-clients-2.2.13-8.el4_6.1.s390.rpm
9e2f2f3537e2a78814cdbf681e4276c3 openldap-debuginfo-2.2.13-8.el4_6.1.s390.rpm
9cf8b1ccb6fcd9d15ff6bc204f06b4dc openldap-devel-2.2.13-8.el4_6.1.s390.rpm
f25b8d09c7d36275569c1bd00d23d220 openldap-servers-2.2.13-8.el4_6.1.s390.rpm
349d84c877e0f870fa98e9830fc67454 openldap-servers-sql-2.2.13-8.el4_6.1.s390.rpm
s390x:
d10bae9f186810046b7c1f303d2b5275 compat-openldap-2.1.30-8.el4_6.1.s390.rpm
70801a51bef304886178af6806f9dbcb compat-openldap-2.1.30-8.el4_6.1.s390x.rpm
f6a5eb8f946114440c247a61ff3d39ad openldap-2.2.13-8.el4_6.1.s390.rpm
c7359a128c0d74e49a063578606bdaa8 openldap-2.2.13-8.el4_6.1.s390x.rpm
f9b40d30955a1db4f70e6b2cce3ac577 openldap-clients-2.2.13-8.el4_6.1.s390x.rpm
9e2f2f3537e2a78814cdbf681e4276c3 openldap-debuginfo-2.2.13-8.el4_6.1.s390.rpm
36e98eb7d5f13afb6efe38f3f1f13bba openldap-debuginfo-2.2.13-8.el4_6.1.s390x.rpm
c82e16b66ac226d5263d7d1b7a5f57a8 openldap-devel-2.2.13-8.el4_6.1.s390x.rpm
4b5f38cbdec79291593221a66125e45e openldap-servers-2.2.13-8.el4_6.1.s390x.rpm
d3c79b08b668917d1156f366c320bce2 openldap-servers-sql-2.2.13-8.el4_6.1.s390x.rpm
x86_64:
b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm
a4a32d858eb9289ca447bea8513cfe1d compat-openldap-2.1.30-8.el4_6.1.x86_64.rpm
6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm
49aa0f91ab6af3df095e47f5aaafa4b0 openldap-2.2.13-8.el4_6.1.x86_64.rpm
c4dc861ca1240793966e707a8f4a7cd3 openldap-clients-2.2.13-8.el4_6.1.x86_64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
be99b06e1dbeeec8e5259e1385a368c2 openldap-debuginfo-2.2.13-8.el4_6.1.x86_64.rpm
48d7db553ba4c337e776005170b61d80 openldap-devel-2.2.13-8.el4_6.1.x86_64.rpm
59dce9ed46d0f6661fca7c2d1141da35 openldap-servers-2.2.13-8.el4_6.1.x86_64.rpm
6e64d976439bdacd8200ac3a2197c409 openldap-servers-sql-2.2.13-8.el4_6.1.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/openldap-2.2.13-8.el4_6.1.src.rpm
d83f67fe727e11d6cf1160b024b1f9a2 openldap-2.2.13-8.el4_6.1.src.rpm
i386:
b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm
219c613cf348abaaebc4c4f9f018ed9d openldap-clients-2.2.13-8.el4_6.1.i386.rpm
3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
7f40d96252d441fe7614a9beef25e0af openldap-devel-2.2.13-8.el4_6.1.i386.rpm
4c19ad7c8b3adc537463852e1eba0233 openldap-servers-2.2.13-8.el4_6.1.i386.rpm
66e950a723214043bbe5b214b6bae217 openldap-servers-sql-2.2.13-8.el4_6.1.i386.rpm
x86_64:
b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm
a4a32d858eb9289ca447bea8513cfe1d compat-openldap-2.1.30-8.el4_6.1.x86_64.rpm
6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm
49aa0f91ab6af3df095e47f5aaafa4b0 openldap-2.2.13-8.el4_6.1.x86_64.rpm
c4dc861ca1240793966e707a8f4a7cd3 openldap-clients-2.2.13-8.el4_6.1.x86_64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
be99b06e1dbeeec8e5259e1385a368c2 openldap-debuginfo-2.2.13-8.el4_6.1.x86_64.rpm
48d7db553ba4c337e776005170b61d80 openldap-devel-2.2.13-8.el4_6.1.x86_64.rpm
59dce9ed46d0f6661fca7c2d1141da35 openldap-servers-2.2.13-8.el4_6.1.x86_64.rpm
6e64d976439bdacd8200ac3a2197c409 openldap-servers-sql-2.2.13-8.el4_6.1.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/openldap-2.2.13-8.el4_6.1.src.rpm
d83f67fe727e11d6cf1160b024b1f9a2 openldap-2.2.13-8.el4_6.1.src.rpm
i386:
b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm
219c613cf348abaaebc4c4f9f018ed9d openldap-clients-2.2.13-8.el4_6.1.i386.rpm
3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
7f40d96252d441fe7614a9beef25e0af openldap-devel-2.2.13-8.el4_6.1.i386.rpm
4c19ad7c8b3adc537463852e1eba0233 openldap-servers-2.2.13-8.el4_6.1.i386.rpm
66e950a723214043bbe5b214b6bae217 openldap-servers-sql-2.2.13-8.el4_6.1.i386.rpm
ia64:
b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6b8aaa38dfbca517ebc8c2eeab072225 compat-openldap-2.1.30-8.el4_6.1.ia64.rpm
6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm
e48a6a25b291ebe73a1e500a51d5752c openldap-2.2.13-8.el4_6.1.ia64.rpm
42ab2e4a1af25c108f86b231af51321d openldap-clients-2.2.13-8.el4_6.1.ia64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
f016210f44503358b516cca1e9602042 openldap-debuginfo-2.2.13-8.el4_6.1.ia64.rpm
ebdf2edb9e264227f5877905afef97ee openldap-devel-2.2.13-8.el4_6.1.ia64.rpm
817e4e1f9963c90506ec40817cb9a311 openldap-servers-2.2.13-8.el4_6.1.ia64.rpm
3a85b2d97f872c32929a36379b09ac65 openldap-servers-sql-2.2.13-8.el4_6.1.ia64.rpm
x86_64:
b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm
a4a32d858eb9289ca447bea8513cfe1d compat-openldap-2.1.30-8.el4_6.1.x86_64.rpm
6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm
49aa0f91ab6af3df095e47f5aaafa4b0 openldap-2.2.13-8.el4_6.1.x86_64.rpm
c4dc861ca1240793966e707a8f4a7cd3 openldap-clients-2.2.13-8.el4_6.1.x86_64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
be99b06e1dbeeec8e5259e1385a368c2 openldap-debuginfo-2.2.13-8.el4_6.1.x86_64.rpm
48d7db553ba4c337e776005170b61d80 openldap-devel-2.2.13-8.el4_6.1.x86_64.rpm
59dce9ed46d0f6661fca7c2d1141da35 openldap-servers-2.2.13-8.el4_6.1.x86_64.rpm
6e64d976439bdacd8200ac3a2197c409 openldap-servers-sql-2.2.13-8.el4_6.1.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/openldap-2.2.13-8.el4_6.1.src.rpm
d83f67fe727e11d6cf1160b024b1f9a2 openldap-2.2.13-8.el4_6.1.src.rpm
i386:
b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm
219c613cf348abaaebc4c4f9f018ed9d openldap-clients-2.2.13-8.el4_6.1.i386.rpm
3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
7f40d96252d441fe7614a9beef25e0af openldap-devel-2.2.13-8.el4_6.1.i386.rpm
4c19ad7c8b3adc537463852e1eba0233 openldap-servers-2.2.13-8.el4_6.1.i386.rpm
66e950a723214043bbe5b214b6bae217 openldap-servers-sql-2.2.13-8.el4_6.1.i386.rpm
ia64:
b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm
6b8aaa38dfbca517ebc8c2eeab072225 compat-openldap-2.1.30-8.el4_6.1.ia64.rpm
6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm
e48a6a25b291ebe73a1e500a51d5752c openldap-2.2.13-8.el4_6.1.ia64.rpm
42ab2e4a1af25c108f86b231af51321d openldap-clients-2.2.13-8.el4_6.1.ia64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
f016210f44503358b516cca1e9602042 openldap-debuginfo-2.2.13-8.el4_6.1.ia64.rpm
ebdf2edb9e264227f5877905afef97ee openldap-devel-2.2.13-8.el4_6.1.ia64.rpm
817e4e1f9963c90506ec40817cb9a311 openldap-servers-2.2.13-8.el4_6.1.ia64.rpm
3a85b2d97f872c32929a36379b09ac65 openldap-servers-sql-2.2.13-8.el4_6.1.ia64.rpm
x86_64:
b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm
a4a32d858eb9289ca447bea8513cfe1d compat-openldap-2.1.30-8.el4_6.1.x86_64.rpm
6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm
49aa0f91ab6af3df095e47f5aaafa4b0 openldap-2.2.13-8.el4_6.1.x86_64.rpm
c4dc861ca1240793966e707a8f4a7cd3 openldap-clients-2.2.13-8.el4_6.1.x86_64.rpm
3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm
be99b06e1dbeeec8e5259e1385a368c2 openldap-debuginfo-2.2.13-8.el4_6.1.x86_64.rpm
48d7db553ba4c337e776005170b61d80 openldap-devel-2.2.13-8.el4_6.1.x86_64.rpm
59dce9ed46d0f6661fca7c2d1141da35 openldap-servers-2.2.13-8.el4_6.1.x86_64.rpm
6e64d976439bdacd8200ac3a2197c409 openldap-servers-sql-2.2.13-8.el4_6.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5707
http://www.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2007 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFHPHfpXlSAg2UNWIIRAg5ZAJ9O3WasZApIh4oqZsheqyt2blLxJwCfTPch
db+zv5iKjFzwxOgBYZgatSA=
=Iq6r
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRz0SdCh9+71yA2DNAQIJHAP/RBT7m5l33oC6Le5+ZVYHsQw23yMi8IML
QfP8mCg+DcregoaNTVKxCQsf9XeTkYb40WcEgxmBLX+mFbmAwRpB3RfEAvixeNlJ
TqMuFnKo0m+mMxlR2MRXMQJCjeDKqBdhnb5sA765TRByfOjvePiva+KEpItb6/gM
1XgkK+dksig=
=HuIV
-----END PGP SIGNATURE-----