[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability
- From: hyc@symas.com
- Date: Sat, 12 Sep 2015 09:06:47 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
denis.andzakovic@security-assessment.com wrote:
> Full_Name: Denis Andzakovic
> Version: 2.4.42
> OS: Debian 8
> URL:
> Submission from: (NULL) (2402:6000:110:a01:743b:8319:1f96:bd89)
>
>
> OpenLDAP ber_get_next Denial of Service
> Affected Versions: OpenLDAP <= 2.4.42
> +----------+
> | Solution |
> +----------+
> Ensure that data received from untrusted sources is not able to trigger
> conditions resulting in the server crashing. In this specific instance, the
> NDEBUG macro should be defined before the inclusion of assert.h by default,
> requiring a specific compile time alteration to enable debug.
Our patch response was too hasty. There is no OpenLDAP bug here, the real
issue is production binaries being built with asserts enabled instead of
compiling with -DNDEBUG. That's an issue for packagers and distros to resolve.
Closing this ITS, not an OpenLDAP bug.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/