Activity log for bug #1446809

Date Who What changed Old value New value Message
2015-04-21 18:43:54 Felipe Reyes bug added bug
2015-04-21 18:58:39 Felipe Reyes cve linked 2012-1164
2015-04-21 18:58:53 Felipe Reyes openldap (Ubuntu): assignee Felipe Reyes (freyes)
2015-05-06 02:22:48 Ryan Tandy bug watch added http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663644
2015-05-06 02:22:48 Ryan Tandy bug task added openldap (Debian)
2015-05-06 07:27:41 Bug Watch Updater openldap (Debian): status Unknown Fix Released
2015-05-06 12:54:46 Felipe Reyes nominated for series Ubuntu Precise
2015-05-06 12:57:49 Felipe Reyes description [Impact] * slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned. * Trusty ships 2.4.31 which comes with a fix for this. [Test Case] TBD [Regression Potential] TBD [Other Info] * Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143 * http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html [Impact] * slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned. * Trusty ships 2.4.31 which comes with a fix for this. [Test Case] TBD [Regression Potential] TBD [Other Info] * Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143 * http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html * Patches backported: - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1) - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2) - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3)
2015-05-06 13:03:34 Felipe Reyes summary denial of service via an LDAP search query with attrsOnly set to true (CVE-2012-1164) [SRU] denial of service via an LDAP search query with attrsOnly set to true (CVE-2012-1164)
2015-05-06 13:12:35 Felipe Reyes description [Impact] * slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned. * Trusty ships 2.4.31 which comes with a fix for this. [Test Case] TBD [Regression Potential] TBD [Other Info] * Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143 * http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html * Patches backported: - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1) - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2) - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3) [Impact] * slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned. * Trusty ships 2.4.31 which comes with a fix for this. [Test Case] TBD [Regression Potential] * this set of patches adds validations to avoid segfaults, so no regression is expected. [Other Info] * Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143 * http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html * Patches backported:   - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)   - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)   - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3)
2015-05-06 13:24:03 Felipe Reyes attachment added lp1446809_precise.debdiff https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1446809/+attachment/4392199/+files/lp1446809_precise.debdiff
2015-05-06 16:22:06 Ubuntu Foundations Team Bug Bot tags cts cts patch
2015-05-06 16:22:14 Ubuntu Foundations Team Bug Bot bug added subscriber Ubuntu Sponsors Team
2015-05-06 21:38:03 Felipe Reyes tags cts patch cts
2015-05-18 14:09:46 Sebastien Bacher bug task added openldap (Ubuntu Precise)
2015-05-18 14:09:54 Sebastien Bacher openldap (Ubuntu): status New Fix Released
2015-05-18 14:09:56 Sebastien Bacher openldap (Ubuntu): importance Undecided High
2015-05-18 14:09:58 Sebastien Bacher removed subscriber Ubuntu Sponsors Team
2015-05-18 14:10:11 Sebastien Bacher bug added subscriber Ubuntu Security Sponsors Team
2015-05-18 14:10:14 Sebastien Bacher openldap (Ubuntu Precise): status New Triaged
2015-05-18 14:10:16 Sebastien Bacher openldap (Ubuntu Precise): importance Undecided High
2015-05-18 16:21:41 adam.g.pullen bug added subscriber adam.g.pullen
2015-05-19 19:02:57 Felipe Reyes cve linked 2013-4449
2015-05-19 19:03:31 Felipe Reyes cve linked 2015-1545
2015-05-19 19:04:25 Felipe Reyes attachment removed lp1446809_precise.debdiff https://bugs.launchpad.net/ubuntu/precise/+source/openldap/+bug/1446809/+attachment/4392199/+files/lp1446809_precise.debdiff
2015-05-19 19:22:28 Felipe Reyes description [Impact] * slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned. * Trusty ships 2.4.31 which comes with a fix for this. [Test Case] TBD [Regression Potential] * this set of patches adds validations to avoid segfaults, so no regression is expected. [Other Info] * Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143 * http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html * Patches backported:   - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)   - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)   - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3) [Impact] * CVE-2012-1164: - slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned. - Trusty ships 2.4.31 which comes with a fix for this. * CVE-2013-4449 - The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search. - This bug affects all the series (precise, trusty, utopic, vivid and wily) * CVE-2015-1545 - The deref_parseCtrl function in servers/slapd/overlays/deref.c in OpenLDAP 2.4.13 through 2.4.40 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an empty attribute list in a deref control in a search request. - This bug affects all the series (precise, trusty, utopic, vivid and wily) [Regression Potential] * this set of patches adds validations to avoid segfaults, so no regression is expected. [Other Info] * CVE-2012-1164: - Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143 - http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html - Patches backported:    - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)   - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)   - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3) * CVE-2013-4449 - Upstream bug report http://www.openldap.org/its/index.cgi/Incoming?id=7723 - Patches backported: - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=924389d9dd9dbb6ffe5db6c0fc65ecfe6814a1af * CVE-2015-1545 - Upstream bug report http://www.openldap.org/its/?findid=8027 - Patches backported: - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=7a5a98577a0481d864ca7fe05b9b32274d4d1fb5
2015-05-19 19:25:06 Felipe Reyes attachment added lp1446809_precise.debdiff https://bugs.launchpad.net/ubuntu/precise/+source/openldap/+bug/1446809/+attachment/4400520/+files/lp1446809_precise.debdiff
2015-05-19 19:36:43 Felipe Reyes attachment added lp1446809_trusty.debdiff https://bugs.launchpad.net/ubuntu/precise/+source/openldap/+bug/1446809/+attachment/4400527/+files/lp1446809_trusty.debdiff
2015-05-19 19:38:24 Felipe Reyes attachment added lp1446809_utopic.debdiff https://bugs.launchpad.net/ubuntu/precise/+source/openldap/+bug/1446809/+attachment/4400528/+files/lp1446809_utopic.debdiff
2015-05-19 19:40:03 Felipe Reyes attachment added lp1446809_vivid.patch https://bugs.launchpad.net/ubuntu/precise/+source/openldap/+bug/1446809/+attachment/4400529/+files/lp1446809_vivid.patch
2015-05-19 19:48:04 Felipe Reyes nominated for series Ubuntu Utopic
2015-05-19 19:48:04 Felipe Reyes nominated for series Ubuntu Vivid
2015-05-19 19:48:04 Felipe Reyes nominated for series Ubuntu Trusty
2015-05-19 20:00:07 Felipe Reyes summary [SRU] denial of service via an LDAP search query with attrsOnly set to true (CVE-2012-1164) [SRU] denial of service via an LDAP search query (CVE-2012-1164, CVE-2013-4449, CVE-2015-1545)
2015-05-25 12:52:58 Marc Deslauriers bug task added openldap (Ubuntu Trusty)
2015-05-25 12:53:06 Marc Deslauriers bug task added openldap (Ubuntu Utopic)
2015-05-25 12:53:13 Marc Deslauriers bug task added openldap (Ubuntu Vivid)
2015-05-26 14:22:52 Felipe Reyes branch linked lp:~freyes/openldap/lp1446809
2015-05-26 17:29:26 Launchpad Janitor openldap (Ubuntu Utopic): status New Fix Released
2015-05-26 17:29:28 Launchpad Janitor openldap (Ubuntu Vivid): status New Fix Released
2015-05-26 17:35:21 Launchpad Janitor openldap (Ubuntu Precise): status Triaged Fix Released
2015-05-26 17:35:25 Launchpad Janitor openldap (Ubuntu Trusty): status New Fix Released
2015-05-28 06:14:55 Launchpad Janitor branch linked lp:~ubuntu-branches/ubuntu/vivid/openldap/vivid-security
2015-05-28 06:15:17 Launchpad Janitor branch linked lp:ubuntu/precise-security/openldap
2015-05-28 06:15:31 Launchpad Janitor branch linked lp:~ubuntu-branches/ubuntu/trusty/openldap/trusty-security
2015-05-28 06:15:44 Launchpad Janitor branch linked lp:~ubuntu-branches/ubuntu/utopic/openldap/utopic-security
2015-05-29 14:13:13 Felipe Reyes openldap (Ubuntu Precise): assignee Felipe Reyes (freyes)
2015-05-29 14:13:19 Felipe Reyes openldap (Ubuntu Trusty): assignee Felipe Reyes (freyes)
2015-05-29 14:13:24 Felipe Reyes openldap (Ubuntu Utopic): assignee Felipe Reyes (freyes)
2015-05-29 14:13:30 Felipe Reyes openldap (Ubuntu Vivid): assignee Felipe Reyes (freyes)