Bug 21003

Summary: openldap new security issue CVE-2017-9287
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, mageia, marja11, sysadmin-bugs
Version: 5Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-64-OK
Source RPM: openldap-2.4.44-4.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-06-01 12:13:20 CEST 
Debian has issued an advisory on May 30:
https://www.debian.org/security/2017/dsa-3868

The upstream patch is linked from the upstream bug:
http://www.openldap.org/its/?findid=8655

Mageia 5 is also affected.
David Walser 2017-06-01 12:16:04 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-06-01 21:17:19 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => bgmilne

Comment 2 Nicolas Lécureuil 2017-06-01 23:18:50 CEST 
Fixed in cauldron

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)
CC: (none) => mageia

Comment 3 Nicolas Lécureuil 2017-06-01 23:27:26 CEST 
Pushed in updates_testing

src.rpm:  openldap-2.4.40-3.2.mga5

Assignee: bgmilne => qa-bugs

Comment 4 Nicolas Lécureuil 2017-06-01 23:53:50 CEST 
tests are failing, can someone take a look please ?
David Walser 2017-06-02 02:49:38 CEST

CC: (none) => qa-bugs
Assignee: qa-bugs => bgmilne

Comment 5 David Walser 2017-08-04 21:50:12 CEST 
RedHat updated it to a newer version for this issue:
https://access.redhat.com/errata/RHSA-2017:1852

Maybe we could sync the Mageia 5 package with Mageia 6?
Comment 6 Nicolas Lécureuil 2017-08-11 16:53:20 CEST 
Pushed in updates_testing for mageia 5

src.rpm:
       openldap-2.4.45-1.mga5


can someone help with tests failing ?

Assignee: bgmilne => qa-bugs

Comment 7 David Walser 2017-08-11 18:38:09 CEST 
Reassigning back to Nicolas as it's not ready for QA with tests failing.

Assignee: qa-bugs => mageia

Nicolas Lécureuil 2017-08-22 01:31:29 CEST

Assignee: mageia => bgmilne

Comment 8 David Walser 2017-09-12 13:21:49 CEST 
Since there's a systemd unit file for slapd, I don't think we can be vulnerable to CVE-2017-14159:
http://seclists.org/oss-sec/2017/q3/427

but the SysV init script should be removed from the package.
Comment 9 David Walser 2017-12-27 00:41:44 CET 
I noticed that the test are disabled in mga6 as well.  Guess we can QA this.

Advisory:
========================

Updated openldap packages fix security vulnerability:

A double-free flaw was found in the way OpenLDAP's slapd server using the MDB
backend handled LDAP searches. A remote attacker with access to search the
directory could potentially use this flaw to crash slapd by issuing a specially
crafted LDAP search query (CVE-2017-9287).

The openldap package has been updated to version 2.4.45 to fix this issue and
other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9287
https://access.redhat.com/errata/RHSA-2017:1852

Assignee: bgmilne => qa-bugs
CC: qa-bugs => (none)

Comment 10 Lewis Smith 2017-12-30 11:49:42 CET 
To test normally.
Dave Hodgins 2017-12-31 12:50:50 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 11 Dave Hodgins 2018-01-03 13:35:57 CET 
As kerberos uses openldap, followed the qa procedure for krb5.
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: dave@X5V.HODGINS.HOMEIP.NET

Valid starting     Expires            Service principal
03/01/18 07:33:15  04/01/18 07:33:15  krbtgt/X5V.HODGINS.HOMEIP.NET@X5V.HODGINS.HOMEIP.NET

Validating the update.

Whiteboard: (none) => MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2018-01-03 15:23:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0033.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED