Re: OpenLDAP 2.3.35 available

[Howard Chu <hyc@symas.com>]

OpenLDAP Project wrote:
> OpenLDAP 2.3.35 is now available for download as detailed
> on our download page:
>    http://www.openldap.org/software/download/
>
> and should soon be available on all official mirrors:
>    ftp://ftp.openldap.org/pub/OpenLDAP/MIRRORS
>
> This is a maintenance release and is made available for
> general use.  Users of OpenLDAP Software are encouraged
> to upgrade.
>
> Significant contributors to this release include:
>    Quanah Gibson-Mount (Stanford)
>    Pierangelo Masarati (SysNet)
>    Howard Chu (Symas)
>
> -- The OpenLDAP Project
>
>
> OpenLDAP 2.3.35 Release (2007/04/09)
>      Fixed ldapmodify to use correct memory free functions (ITS#4901)
>      Fixed slapd acl set minor typo (ITS#4874)
>      Fixed slapd entry consistency check in str2entry2 (ITS#4852)
>      Fixed slapd ldapi:// credential issue (ITS#4893)

ITS#4893 addresses security implications on HPUX. If you're using
ldapi:// on HPUX 11 it is possible for regular users to bind to the
directory with the credentials of Unix root. Similar exploits may be
possible on AIX 5.1 and older, and Solaris 2.9 and older. This release
disables the insecure credential passing mechanism on these OS versions;
if you were relying on SASL/EXTERNAL authentication with ldapi:// on the
affected platforms that mechanism will no longer work after you install
this release.

We may re-enable these mechanisms in a later update, depending on user
demand. In the meantime, if you're using ldapi:// on these platforms,
you need to stop or upgrade to this release ASAP. Workarounds are still
being tested and will be made available as they become ready.

--
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/