Bug 12586 - openldap new security issue CVE-2013-4449
: openldap new security issue CVE-2013-4449
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/584144/
: MGA3TOO has_procedure mga3-32-ok mga3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-04 22:39 CET by David Walser
Modified: 2014-02-12 19:11 CET (History)
5 users (show)

See Also:
Source RPM: openldap-2.4.38-1.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-02-04 22:39:37 CET
RedHat has issued an advisory on February 3:
https://rhn.redhat.com/errata/RHSA-2014-0126.html

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 2 David Walser 2014-02-10 07:11:09 CET
Hmm, maybe it's a parallel build issue.  I pushed them again and they built.
Comment 3 David Walser 2014-02-10 07:15:33 CET
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated openldap packages fix security vulnerability:

A denial of service flaw was found in the way the OpenLDAP server daemon
(slapd) performed reference counting when using the rwm (rewrite/remap)
overlay. A remote attacker able to query the OpenLDAP server could use this
flaw to crash the server by immediately unbinding from the server after
sending a search request (CVE-2013-4449).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4449
http://www.openldap.org/its/index.cgi/Incoming?id=7723
https://rhn.redhat.com/errata/RHSA-2014-0126.html
========================

Updated packages in core/updates_testing:
========================
openldap-2.4.33-7.1.mga3
openldap-servers-2.4.33-7.1.mga3
openldap-servers-devel-2.4.33-7.1.mga3
openldap-clients-2.4.33-7.1.mga3
libldap2.4_2-2.4.33-7.1.mga3
libldap2.4_2-devel-2.4.33-7.1.mga3
libldap2.4_2-static-devel-2.4.33-7.1.mga3
openldap-doc-2.4.33-7.1.mga3
openldap-tests-2.4.33-7.1.mga3
openldap-testprogs-2.4.33-7.1.mga3
openldap-2.4.38-1.1.mga4
openldap-servers-2.4.38-1.1.mga4
openldap-servers-devel-2.4.38-1.1.mga4
openldap-clients-2.4.38-1.1.mga4
libldap2.4_2-2.4.38-1.1.mga4
libldap2.4_2-devel-2.4.38-1.1.mga4
libldap2.4_2-static-devel-2.4.38-1.1.mga4
openldap-back_sql-2.4.38-1.1.mga4
openldap-back_bdb-2.4.38-1.1.mga4
openldap-back_mdb-2.4.38-1.1.mga4
openldap-doc-2.4.38-1.1.mga4
openldap-tests-2.4.38-1.1.mga4
openldap-testprogs-2.4.38-1.1.mga4

from SRPMS:
openldap-2.4.33-7.1.mga3.src.rpm
openldap-2.4.38-1.1.mga4.src.rpm
Comment 4 Samuel Verschelde 2014-02-10 16:35:35 CET
Testing procedure from https://bugs.mageia.org/show_bug.cgi?id=6527#c8

-------
This is easy to test by installing openldap-tests

Start the ldap service

# service ldap start             (for mga1)

or

# systemctl start ldap.service   (for mga2)

Then

# cd /usr/share/openldap/tests/
# ./run all > ldaptest
# grep -e ">>>>>" ldaptest
-------
Comment 5 claire robinson 2014-02-11 18:46:01 CET
Testing mga3 32 & 64 now
Comment 6 Manuel Hiebel 2014-02-11 22:27:18 CET
testing currently on mga4/x86_64
Comment 7 Gerd Roscher 2014-02-12 09:53:55 CET
tested yesterday 2014-02-11 on mga4/32bit

i dunno if it is a failure or not --->

>>>>> Starting test058-syncrepl-asymmetric for bdb...
>>>>>> Exiting with a false success status for now
>>>>> test058-syncrepl-asymmetric completed OK for bdb.
Comment 8 Samuel Verschelde 2014-02-12 10:01:58 CET
(In reply to Gerd Roscher from comment #7)
> tested yesterday 2014-02-11 on mga4/32bit
> 
> i dunno if it is a failure or not --->
> 
> >>>>> Starting test058-syncrepl-asymmetric for bdb...
> >>>>>> Exiting with a false success status for now
> >>>>> test058-syncrepl-asymmetric completed OK for bdb.

I think it's OK, the "false success status" must be intended.
Comment 9 Samuel Verschelde 2014-02-12 10:47:51 CET
Advisory uploaded.

Update validated. Please push to 3 & 4 core/updates.
Comment 10 Thomas Backlund 2014-02-12 19:11:56 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0062.html

Note You need to log in before you can comment on or make changes to this bug.