Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0930 -- [RedHat] Moderate: openldap security and enhancement update 16 November 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openldap Publisher: Red Hat Operating System: Red Hat Linux 4 Impact: Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2007-5707 Ref: AA-2007.0093 ESB-2007.0892 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2007-1038.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Moderate: openldap security and enhancement update Advisory ID: RHSA-2007:1038-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-1038.html Issue date: 2007-11-15 Updated on: 2007-11-15 Product: Red Hat Enterprise Linux CVE Names: CVE-2007-5707 - - --------------------------------------------------------------------- 1. Summary: Updated openldap packages that fix a security flaw are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Problem description: OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. A flaw was found in the way OpenLDAP's slapd daemon handled malformed objectClasses LDAP attributes. An authenticated local or remote attacker could create an LDAP request which could cause a denial of service by crashing slapd. (CVE-2007-5707) In addition, the following feature was added: * OpenLDAP client tools now have new option to configure their bind timeout. All users are advised to upgrade to these updated openldap packages, which contain a backported patch to correct this issue and provide this security enhancement. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bug IDs fixed (http://bugzilla.redhat.com/): 359851 - CVE-2007-5707 openldap slapd DoS via objectClasses attribute 6. RPMs required: Red Hat Enterprise Linux AS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/openldap-2.2.13-8.el4_6.1.src.rpm d83f67fe727e11d6cf1160b024b1f9a2 openldap-2.2.13-8.el4_6.1.src.rpm i386: b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm 6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm 219c613cf348abaaebc4c4f9f018ed9d openldap-clients-2.2.13-8.el4_6.1.i386.rpm 3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm 7f40d96252d441fe7614a9beef25e0af openldap-devel-2.2.13-8.el4_6.1.i386.rpm 4c19ad7c8b3adc537463852e1eba0233 openldap-servers-2.2.13-8.el4_6.1.i386.rpm 66e950a723214043bbe5b214b6bae217 openldap-servers-sql-2.2.13-8.el4_6.1.i386.rpm ia64: b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm 6b8aaa38dfbca517ebc8c2eeab072225 compat-openldap-2.1.30-8.el4_6.1.ia64.rpm 6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm e48a6a25b291ebe73a1e500a51d5752c openldap-2.2.13-8.el4_6.1.ia64.rpm 42ab2e4a1af25c108f86b231af51321d openldap-clients-2.2.13-8.el4_6.1.ia64.rpm 3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm f016210f44503358b516cca1e9602042 openldap-debuginfo-2.2.13-8.el4_6.1.ia64.rpm ebdf2edb9e264227f5877905afef97ee openldap-devel-2.2.13-8.el4_6.1.ia64.rpm 817e4e1f9963c90506ec40817cb9a311 openldap-servers-2.2.13-8.el4_6.1.ia64.rpm 3a85b2d97f872c32929a36379b09ac65 openldap-servers-sql-2.2.13-8.el4_6.1.ia64.rpm ppc: 15008c36556193ddd7107d59f319f706 compat-openldap-2.1.30-8.el4_6.1.ppc.rpm 0934b07a1e5daef1715a5905fb3298ff compat-openldap-2.1.30-8.el4_6.1.ppc64.rpm 8ea26adb6a6c9c8d993f69d06e0c13b8 openldap-2.2.13-8.el4_6.1.ppc.rpm dc6666f0c29108215a50e3042ec3f1f6 openldap-2.2.13-8.el4_6.1.ppc64.rpm 63be6242af95535f973448e04be6001c openldap-clients-2.2.13-8.el4_6.1.ppc.rpm 7f3c6b841561748c440c9d5594ab10bb openldap-debuginfo-2.2.13-8.el4_6.1.ppc.rpm d70cd5cb7911fc0fef4c2ec82e450c11 openldap-debuginfo-2.2.13-8.el4_6.1.ppc64.rpm 62ed6b0c6972a93067b0ae7b5050fde1 openldap-devel-2.2.13-8.el4_6.1.ppc.rpm addded6b3675c6fbd1fff79de7c9fd7a openldap-servers-2.2.13-8.el4_6.1.ppc.rpm 86611366034b049e10e31120f23071ea openldap-servers-sql-2.2.13-8.el4_6.1.ppc.rpm s390: d10bae9f186810046b7c1f303d2b5275 compat-openldap-2.1.30-8.el4_6.1.s390.rpm f6a5eb8f946114440c247a61ff3d39ad openldap-2.2.13-8.el4_6.1.s390.rpm 19cd9d96abfaf4ae90c7c5c56d1963c5 openldap-clients-2.2.13-8.el4_6.1.s390.rpm 9e2f2f3537e2a78814cdbf681e4276c3 openldap-debuginfo-2.2.13-8.el4_6.1.s390.rpm 9cf8b1ccb6fcd9d15ff6bc204f06b4dc openldap-devel-2.2.13-8.el4_6.1.s390.rpm f25b8d09c7d36275569c1bd00d23d220 openldap-servers-2.2.13-8.el4_6.1.s390.rpm 349d84c877e0f870fa98e9830fc67454 openldap-servers-sql-2.2.13-8.el4_6.1.s390.rpm s390x: d10bae9f186810046b7c1f303d2b5275 compat-openldap-2.1.30-8.el4_6.1.s390.rpm 70801a51bef304886178af6806f9dbcb compat-openldap-2.1.30-8.el4_6.1.s390x.rpm f6a5eb8f946114440c247a61ff3d39ad openldap-2.2.13-8.el4_6.1.s390.rpm c7359a128c0d74e49a063578606bdaa8 openldap-2.2.13-8.el4_6.1.s390x.rpm f9b40d30955a1db4f70e6b2cce3ac577 openldap-clients-2.2.13-8.el4_6.1.s390x.rpm 9e2f2f3537e2a78814cdbf681e4276c3 openldap-debuginfo-2.2.13-8.el4_6.1.s390.rpm 36e98eb7d5f13afb6efe38f3f1f13bba openldap-debuginfo-2.2.13-8.el4_6.1.s390x.rpm c82e16b66ac226d5263d7d1b7a5f57a8 openldap-devel-2.2.13-8.el4_6.1.s390x.rpm 4b5f38cbdec79291593221a66125e45e openldap-servers-2.2.13-8.el4_6.1.s390x.rpm d3c79b08b668917d1156f366c320bce2 openldap-servers-sql-2.2.13-8.el4_6.1.s390x.rpm x86_64: b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm a4a32d858eb9289ca447bea8513cfe1d compat-openldap-2.1.30-8.el4_6.1.x86_64.rpm 6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm 49aa0f91ab6af3df095e47f5aaafa4b0 openldap-2.2.13-8.el4_6.1.x86_64.rpm c4dc861ca1240793966e707a8f4a7cd3 openldap-clients-2.2.13-8.el4_6.1.x86_64.rpm 3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm be99b06e1dbeeec8e5259e1385a368c2 openldap-debuginfo-2.2.13-8.el4_6.1.x86_64.rpm 48d7db553ba4c337e776005170b61d80 openldap-devel-2.2.13-8.el4_6.1.x86_64.rpm 59dce9ed46d0f6661fca7c2d1141da35 openldap-servers-2.2.13-8.el4_6.1.x86_64.rpm 6e64d976439bdacd8200ac3a2197c409 openldap-servers-sql-2.2.13-8.el4_6.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: SRPMS: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/openldap-2.2.13-8.el4_6.1.src.rpm d83f67fe727e11d6cf1160b024b1f9a2 openldap-2.2.13-8.el4_6.1.src.rpm i386: b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm 6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm 219c613cf348abaaebc4c4f9f018ed9d openldap-clients-2.2.13-8.el4_6.1.i386.rpm 3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm 7f40d96252d441fe7614a9beef25e0af openldap-devel-2.2.13-8.el4_6.1.i386.rpm 4c19ad7c8b3adc537463852e1eba0233 openldap-servers-2.2.13-8.el4_6.1.i386.rpm 66e950a723214043bbe5b214b6bae217 openldap-servers-sql-2.2.13-8.el4_6.1.i386.rpm x86_64: b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm a4a32d858eb9289ca447bea8513cfe1d compat-openldap-2.1.30-8.el4_6.1.x86_64.rpm 6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm 49aa0f91ab6af3df095e47f5aaafa4b0 openldap-2.2.13-8.el4_6.1.x86_64.rpm c4dc861ca1240793966e707a8f4a7cd3 openldap-clients-2.2.13-8.el4_6.1.x86_64.rpm 3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm be99b06e1dbeeec8e5259e1385a368c2 openldap-debuginfo-2.2.13-8.el4_6.1.x86_64.rpm 48d7db553ba4c337e776005170b61d80 openldap-devel-2.2.13-8.el4_6.1.x86_64.rpm 59dce9ed46d0f6661fca7c2d1141da35 openldap-servers-2.2.13-8.el4_6.1.x86_64.rpm 6e64d976439bdacd8200ac3a2197c409 openldap-servers-sql-2.2.13-8.el4_6.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: SRPMS: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/openldap-2.2.13-8.el4_6.1.src.rpm d83f67fe727e11d6cf1160b024b1f9a2 openldap-2.2.13-8.el4_6.1.src.rpm i386: b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm 6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm 219c613cf348abaaebc4c4f9f018ed9d openldap-clients-2.2.13-8.el4_6.1.i386.rpm 3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm 7f40d96252d441fe7614a9beef25e0af openldap-devel-2.2.13-8.el4_6.1.i386.rpm 4c19ad7c8b3adc537463852e1eba0233 openldap-servers-2.2.13-8.el4_6.1.i386.rpm 66e950a723214043bbe5b214b6bae217 openldap-servers-sql-2.2.13-8.el4_6.1.i386.rpm ia64: b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm 6b8aaa38dfbca517ebc8c2eeab072225 compat-openldap-2.1.30-8.el4_6.1.ia64.rpm 6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm e48a6a25b291ebe73a1e500a51d5752c openldap-2.2.13-8.el4_6.1.ia64.rpm 42ab2e4a1af25c108f86b231af51321d openldap-clients-2.2.13-8.el4_6.1.ia64.rpm 3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm f016210f44503358b516cca1e9602042 openldap-debuginfo-2.2.13-8.el4_6.1.ia64.rpm ebdf2edb9e264227f5877905afef97ee openldap-devel-2.2.13-8.el4_6.1.ia64.rpm 817e4e1f9963c90506ec40817cb9a311 openldap-servers-2.2.13-8.el4_6.1.ia64.rpm 3a85b2d97f872c32929a36379b09ac65 openldap-servers-sql-2.2.13-8.el4_6.1.ia64.rpm x86_64: b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm a4a32d858eb9289ca447bea8513cfe1d compat-openldap-2.1.30-8.el4_6.1.x86_64.rpm 6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm 49aa0f91ab6af3df095e47f5aaafa4b0 openldap-2.2.13-8.el4_6.1.x86_64.rpm c4dc861ca1240793966e707a8f4a7cd3 openldap-clients-2.2.13-8.el4_6.1.x86_64.rpm 3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm be99b06e1dbeeec8e5259e1385a368c2 openldap-debuginfo-2.2.13-8.el4_6.1.x86_64.rpm 48d7db553ba4c337e776005170b61d80 openldap-devel-2.2.13-8.el4_6.1.x86_64.rpm 59dce9ed46d0f6661fca7c2d1141da35 openldap-servers-2.2.13-8.el4_6.1.x86_64.rpm 6e64d976439bdacd8200ac3a2197c409 openldap-servers-sql-2.2.13-8.el4_6.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/openldap-2.2.13-8.el4_6.1.src.rpm d83f67fe727e11d6cf1160b024b1f9a2 openldap-2.2.13-8.el4_6.1.src.rpm i386: b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm 6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm 219c613cf348abaaebc4c4f9f018ed9d openldap-clients-2.2.13-8.el4_6.1.i386.rpm 3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm 7f40d96252d441fe7614a9beef25e0af openldap-devel-2.2.13-8.el4_6.1.i386.rpm 4c19ad7c8b3adc537463852e1eba0233 openldap-servers-2.2.13-8.el4_6.1.i386.rpm 66e950a723214043bbe5b214b6bae217 openldap-servers-sql-2.2.13-8.el4_6.1.i386.rpm ia64: b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm 6b8aaa38dfbca517ebc8c2eeab072225 compat-openldap-2.1.30-8.el4_6.1.ia64.rpm 6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm e48a6a25b291ebe73a1e500a51d5752c openldap-2.2.13-8.el4_6.1.ia64.rpm 42ab2e4a1af25c108f86b231af51321d openldap-clients-2.2.13-8.el4_6.1.ia64.rpm 3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm f016210f44503358b516cca1e9602042 openldap-debuginfo-2.2.13-8.el4_6.1.ia64.rpm ebdf2edb9e264227f5877905afef97ee openldap-devel-2.2.13-8.el4_6.1.ia64.rpm 817e4e1f9963c90506ec40817cb9a311 openldap-servers-2.2.13-8.el4_6.1.ia64.rpm 3a85b2d97f872c32929a36379b09ac65 openldap-servers-sql-2.2.13-8.el4_6.1.ia64.rpm x86_64: b2c433fe08be943cb34d7ae75d29f022 compat-openldap-2.1.30-8.el4_6.1.i386.rpm a4a32d858eb9289ca447bea8513cfe1d compat-openldap-2.1.30-8.el4_6.1.x86_64.rpm 6ddb8c954ba2f85aa11850541d09f2f1 openldap-2.2.13-8.el4_6.1.i386.rpm 49aa0f91ab6af3df095e47f5aaafa4b0 openldap-2.2.13-8.el4_6.1.x86_64.rpm c4dc861ca1240793966e707a8f4a7cd3 openldap-clients-2.2.13-8.el4_6.1.x86_64.rpm 3a5d6b07337958bdfdf7528abcd0ffb2 openldap-debuginfo-2.2.13-8.el4_6.1.i386.rpm be99b06e1dbeeec8e5259e1385a368c2 openldap-debuginfo-2.2.13-8.el4_6.1.x86_64.rpm 48d7db553ba4c337e776005170b61d80 openldap-devel-2.2.13-8.el4_6.1.x86_64.rpm 59dce9ed46d0f6661fca7c2d1141da35 openldap-servers-2.2.13-8.el4_6.1.x86_64.rpm 6e64d976439bdacd8200ac3a2197c409 openldap-servers-sql-2.2.13-8.el4_6.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5707 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2007 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFHPHfpXlSAg2UNWIIRAg5ZAJ9O3WasZApIh4oqZsheqyt2blLxJwCfTPch db+zv5iKjFzwxOgBYZgatSA= =Iq6r - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRz0SdCh9+71yA2DNAQIJHAP/RBT7m5l33oC6Le5+ZVYHsQw23yMi8IML QfP8mCg+DcregoaNTVKxCQsf9XeTkYb40WcEgxmBLX+mFbmAwRpB3RfEAvixeNlJ TqMuFnKo0m+mMxlR2MRXMQJCjeDKqBdhnb5sA765TRByfOjvePiva+KEpItb6/gM 1XgkK+dksig= =HuIV -----END PGP SIGNATURE-----