2015-04-21 18:43:54 |
Felipe Reyes |
bug |
|
|
added bug |
2015-04-21 18:58:39 |
Felipe Reyes |
cve linked |
|
2012-1164 |
|
2015-04-21 18:58:53 |
Felipe Reyes |
openldap (Ubuntu): assignee |
|
Felipe Reyes (freyes) |
|
2015-05-06 02:22:48 |
Ryan Tandy |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663644 |
|
2015-05-06 02:22:48 |
Ryan Tandy |
bug task added |
|
openldap (Debian) |
|
2015-05-06 07:27:41 |
Bug Watch Updater |
openldap (Debian): status |
Unknown |
Fix Released |
|
2015-05-06 12:54:46 |
Felipe Reyes |
nominated for series |
|
Ubuntu Precise |
|
2015-05-06 12:57:49 |
Felipe Reyes |
description |
[Impact]
* slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned.
* Trusty ships 2.4.31 which comes with a fix for this.
[Test Case]
TBD
[Regression Potential]
TBD
[Other Info]
* Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143
* http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html |
[Impact]
* slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned.
* Trusty ships 2.4.31 which comes with a fix for this.
[Test Case]
TBD
[Regression Potential]
TBD
[Other Info]
* Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143
* http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html
* Patches backported:
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3) |
|
2015-05-06 13:03:34 |
Felipe Reyes |
summary |
denial of service via an LDAP search query with attrsOnly set to true (CVE-2012-1164) |
[SRU] denial of service via an LDAP search query with attrsOnly set to true (CVE-2012-1164) |
|
2015-05-06 13:12:35 |
Felipe Reyes |
description |
[Impact]
* slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned.
* Trusty ships 2.4.31 which comes with a fix for this.
[Test Case]
TBD
[Regression Potential]
TBD
[Other Info]
* Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143
* http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html
* Patches backported:
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3) |
[Impact]
* slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned.
* Trusty ships 2.4.31 which comes with a fix for this.
[Test Case]
TBD
[Regression Potential]
* this set of patches adds validations to avoid segfaults, so no regression is expected.
[Other Info]
* Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143
* http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html
* Patches backported:
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3) |
|
2015-05-06 13:24:03 |
Felipe Reyes |
attachment added |
|
lp1446809_precise.debdiff https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1446809/+attachment/4392199/+files/lp1446809_precise.debdiff |
|
2015-05-06 16:22:06 |
Ubuntu Foundations Team Bug Bot |
tags |
cts |
cts patch |
|
2015-05-06 16:22:14 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2015-05-06 21:38:03 |
Felipe Reyes |
tags |
cts patch |
cts |
|
2015-05-18 14:09:46 |
Sebastien Bacher |
bug task added |
|
openldap (Ubuntu Precise) |
|
2015-05-18 14:09:54 |
Sebastien Bacher |
openldap (Ubuntu): status |
New |
Fix Released |
|
2015-05-18 14:09:56 |
Sebastien Bacher |
openldap (Ubuntu): importance |
Undecided |
High |
|
2015-05-18 14:09:58 |
Sebastien Bacher |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2015-05-18 14:10:11 |
Sebastien Bacher |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2015-05-18 14:10:14 |
Sebastien Bacher |
openldap (Ubuntu Precise): status |
New |
Triaged |
|
2015-05-18 14:10:16 |
Sebastien Bacher |
openldap (Ubuntu Precise): importance |
Undecided |
High |
|
2015-05-18 16:21:41 |
adam.g.pullen |
bug |
|
|
added subscriber adam.g.pullen |
2015-05-19 19:02:57 |
Felipe Reyes |
cve linked |
|
2013-4449 |
|
2015-05-19 19:03:31 |
Felipe Reyes |
cve linked |
|
2015-1545 |
|
2015-05-19 19:04:25 |
Felipe Reyes |
attachment removed |
lp1446809_precise.debdiff https://bugs.launchpad.net/ubuntu/precise/+source/openldap/+bug/1446809/+attachment/4392199/+files/lp1446809_precise.debdiff |
|
|
2015-05-19 19:22:28 |
Felipe Reyes |
description |
[Impact]
* slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned.
* Trusty ships 2.4.31 which comes with a fix for this.
[Test Case]
TBD
[Regression Potential]
* this set of patches adds validations to avoid segfaults, so no regression is expected.
[Other Info]
* Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143
* http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html
* Patches backported:
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3) |
[Impact]
* CVE-2012-1164:
- slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned.
- Trusty ships 2.4.31 which comes with a fix for this.
* CVE-2013-4449
- The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search.
- This bug affects all the series (precise, trusty, utopic, vivid and wily)
* CVE-2015-1545
- The deref_parseCtrl function in servers/slapd/overlays/deref.c in OpenLDAP 2.4.13 through 2.4.40 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an empty attribute list in a deref control in a search request.
- This bug affects all the series (precise, trusty, utopic, vivid and wily)
[Regression Potential]
* this set of patches adds validations to avoid segfaults, so no regression is expected.
[Other Info]
* CVE-2012-1164:
- Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143
- http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html
- Patches backported:
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3)
* CVE-2013-4449
- Upstream bug report http://www.openldap.org/its/index.cgi/Incoming?id=7723
- Patches backported:
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=924389d9dd9dbb6ffe5db6c0fc65ecfe6814a1af
* CVE-2015-1545
- Upstream bug report http://www.openldap.org/its/?findid=8027
- Patches backported:
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=7a5a98577a0481d864ca7fe05b9b32274d4d1fb5 |
|
2015-05-19 19:25:06 |
Felipe Reyes |
attachment added |
|
lp1446809_precise.debdiff https://bugs.launchpad.net/ubuntu/precise/+source/openldap/+bug/1446809/+attachment/4400520/+files/lp1446809_precise.debdiff |
|
2015-05-19 19:36:43 |
Felipe Reyes |
attachment added |
|
lp1446809_trusty.debdiff https://bugs.launchpad.net/ubuntu/precise/+source/openldap/+bug/1446809/+attachment/4400527/+files/lp1446809_trusty.debdiff |
|
2015-05-19 19:38:24 |
Felipe Reyes |
attachment added |
|
lp1446809_utopic.debdiff https://bugs.launchpad.net/ubuntu/precise/+source/openldap/+bug/1446809/+attachment/4400528/+files/lp1446809_utopic.debdiff |
|
2015-05-19 19:40:03 |
Felipe Reyes |
attachment added |
|
lp1446809_vivid.patch https://bugs.launchpad.net/ubuntu/precise/+source/openldap/+bug/1446809/+attachment/4400529/+files/lp1446809_vivid.patch |
|
2015-05-19 19:48:04 |
Felipe Reyes |
nominated for series |
|
Ubuntu Utopic |
|
2015-05-19 19:48:04 |
Felipe Reyes |
nominated for series |
|
Ubuntu Vivid |
|
2015-05-19 19:48:04 |
Felipe Reyes |
nominated for series |
|
Ubuntu Trusty |
|
2015-05-19 20:00:07 |
Felipe Reyes |
summary |
[SRU] denial of service via an LDAP search query with attrsOnly set to true (CVE-2012-1164) |
[SRU] denial of service via an LDAP search query (CVE-2012-1164, CVE-2013-4449, CVE-2015-1545) |
|
2015-05-25 12:52:58 |
Marc Deslauriers |
bug task added |
|
openldap (Ubuntu Trusty) |
|
2015-05-25 12:53:06 |
Marc Deslauriers |
bug task added |
|
openldap (Ubuntu Utopic) |
|
2015-05-25 12:53:13 |
Marc Deslauriers |
bug task added |
|
openldap (Ubuntu Vivid) |
|
2015-05-26 14:22:52 |
Felipe Reyes |
branch linked |
|
lp:~freyes/openldap/lp1446809 |
|
2015-05-26 17:29:26 |
Launchpad Janitor |
openldap (Ubuntu Utopic): status |
New |
Fix Released |
|
2015-05-26 17:29:28 |
Launchpad Janitor |
openldap (Ubuntu Vivid): status |
New |
Fix Released |
|
2015-05-26 17:35:21 |
Launchpad Janitor |
openldap (Ubuntu Precise): status |
Triaged |
Fix Released |
|
2015-05-26 17:35:25 |
Launchpad Janitor |
openldap (Ubuntu Trusty): status |
New |
Fix Released |
|
2015-05-28 06:14:55 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/vivid/openldap/vivid-security |
|
2015-05-28 06:15:17 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-security/openldap |
|
2015-05-28 06:15:31 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/trusty/openldap/trusty-security |
|
2015-05-28 06:15:44 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/utopic/openldap/utopic-security |
|
2015-05-29 14:13:13 |
Felipe Reyes |
openldap (Ubuntu Precise): assignee |
|
Felipe Reyes (freyes) |
|
2015-05-29 14:13:19 |
Felipe Reyes |
openldap (Ubuntu Trusty): assignee |
|
Felipe Reyes (freyes) |
|
2015-05-29 14:13:24 |
Felipe Reyes |
openldap (Ubuntu Utopic): assignee |
|
Felipe Reyes (freyes) |
|
2015-05-29 14:13:30 |
Felipe Reyes |
openldap (Ubuntu Vivid): assignee |
|
Felipe Reyes (freyes) |
|