Bug 12586

Summary:	openldap new security issue CVE-2013-4449
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	bgmilne, gerdroscher, stormi-mageia, sysadmin-bugs, tmb
Version:	4	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/584144/
Whiteboard:	MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok advisory
Source RPM:	openldap-2.4.38-1.mga4.src.rpm	CVE:
Status comment:

Description David Walser 2014-02-04 22:39:37 CET

RedHat has issued an advisory on February 3:
https://rhn.redhat.com/errata/RHSA-2014-0126.html

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2014-02-04 22:39:47 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-02-10 02:10:02 CET

I've added the patch from RedHat in SVN, but they all are failing to build (unrelated to the patch) right now, failing in the testsuite.

http://pkgsubmit.mageia.org/uploads/failure/3/core/updates_testing/20140209234135.luigiwalser.valstar.1920/log/openldap-2.4.33-7.1.mga3/build.0.20140209235607.log
http://pkgsubmit.mageia.org/uploads/failure/4/core/updates_testing/20140209234112.luigiwalser.valstar.1789/log/openldap-2.4.38-1.1.mga4/build.0.20140209234200.log
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20140209234051.luigiwalser.valstar.1628/log/openldap-2.4.38-2.mga5/build.0.20140209234107.log

Buchan, please have a look at this.

Comment 2 David Walser 2014-02-10 07:11:09 CET

Hmm, maybe it's a parallel build issue.  I pushed them again and they built.

Comment 3 David Walser 2014-02-10 07:15:33 CET

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated openldap packages fix security vulnerability:

A denial of service flaw was found in the way the OpenLDAP server daemon
(slapd) performed reference counting when using the rwm (rewrite/remap)
overlay. A remote attacker able to query the OpenLDAP server could use this
flaw to crash the server by immediately unbinding from the server after
sending a search request (CVE-2013-4449).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4449
http://www.openldap.org/its/index.cgi/Incoming?id=7723
https://rhn.redhat.com/errata/RHSA-2014-0126.html
========================

Updated packages in core/updates_testing:
========================
openldap-2.4.33-7.1.mga3
openldap-servers-2.4.33-7.1.mga3
openldap-servers-devel-2.4.33-7.1.mga3
openldap-clients-2.4.33-7.1.mga3
libldap2.4_2-2.4.33-7.1.mga3
libldap2.4_2-devel-2.4.33-7.1.mga3
libldap2.4_2-static-devel-2.4.33-7.1.mga3
openldap-doc-2.4.33-7.1.mga3
openldap-tests-2.4.33-7.1.mga3
openldap-testprogs-2.4.33-7.1.mga3
openldap-2.4.38-1.1.mga4
openldap-servers-2.4.38-1.1.mga4
openldap-servers-devel-2.4.38-1.1.mga4
openldap-clients-2.4.38-1.1.mga4
libldap2.4_2-2.4.38-1.1.mga4
libldap2.4_2-devel-2.4.38-1.1.mga4
libldap2.4_2-static-devel-2.4.38-1.1.mga4
openldap-back_sql-2.4.38-1.1.mga4
openldap-back_bdb-2.4.38-1.1.mga4
openldap-back_mdb-2.4.38-1.1.mga4
openldap-doc-2.4.38-1.1.mga4
openldap-tests-2.4.38-1.1.mga4
openldap-testprogs-2.4.38-1.1.mga4

from SRPMS:
openldap-2.4.33-7.1.mga3.src.rpm
openldap-2.4.38-1.1.mga4.src.rpm

CC: (none) => bgmilne
Version: Cauldron => 4
Assignee: bgmilne => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 4 Samuel Verschelde 2014-02-10 16:35:35 CET

Testing procedure from https://bugs.mageia.org/show_bug.cgi?id=6527#c8

-------
This is easy to test by installing openldap-tests

Start the ldap service

# service ldap start             (for mga1)

or

# systemctl start ldap.service   (for mga2)

Then

# cd /usr/share/openldap/tests/
# ./run all > ldaptest
# grep -e ">>>>>" ldaptest
-------

CC: (none) => stormi

Samuel Verschelde 2014-02-10 16:35:44 CET

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 5 claire robinson 2014-02-11 18:46:01 CET

Testing mga3 32 & 64 now

claire robinson 2014-02-11 19:29:07 CET

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga3-64-ok

Comment 6 Manuel Hiebel 2014-02-11 22:27:18 CET

testing currently on mga4/x86_64

Manuel Hiebel 2014-02-11 22:30:05 CET

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 7 Gerd Roscher 2014-02-12 09:53:55 CET

tested yesterday 2014-02-11 on mga4/32bit

i dunno if it is a failure or not --->

>>>>> Starting test058-syncrepl-asymmetric for bdb...
>>>>>> Exiting with a false success status for now
>>>>> test058-syncrepl-asymmetric completed OK for bdb.

CC: (none) => gerdroscher

Comment 8 Samuel Verschelde 2014-02-12 10:01:58 CET

(In reply to Gerd Roscher from comment #7)
> tested yesterday 2014-02-11 on mga4/32bit
> 
> i dunno if it is a failure or not --->
> 
> >>>>> Starting test058-syncrepl-asymmetric for bdb...
> >>>>>> Exiting with a false success status for now
> >>>>> test058-syncrepl-asymmetric completed OK for bdb.

I think it's OK, the "false success status" must be intended.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok

Comment 9 Samuel Verschelde 2014-02-12 10:47:51 CET

Advisory uploaded.

Update validated. Please push to 3 & 4 core/updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok advisory

Comment 10 Thomas Backlund 2014-02-12 19:11:56 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0062.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED