[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: large ldap server recommendation

To: Brad Knowles <b.knowles@its.utexas.edu>
Subject: Re: large ldap server recommendation
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Fri, 01 Feb 2008 10:54:11 -0800
Cc: Howard Chu <hyc@symas.com>, ram <ram@netcore.co.in>, openldap-software@openldap.org, Michael StrÃder <michael@stroeder.com>
Content-disposition: inline
In-reply-to: <47A3690B.7060800@its.utexas.edu>
References: <1201774424.11372.83.camel@localhost.localdomain> <47A20E85.7090509@stroeder.com> <47A21C58.9090105@its.utexas.edu> <47A2381C.9000409@symas.com> <47A24409.9020207@its.utexas.edu> <0BC91504F966ACF6A39A0271@[192.168.1.196]> <47A3690B.7060800@its.utexas.edu>

--On Friday, February 01, 2008 12:46 PM -0600 Brad Knowles <b.knowles@its.utexas.edu> wrote:

Quanah Gibson-Mount wrote:

If your 2.3.35 servers can be accessed via a remote connection, anyone
can crash them at any time.  Is that considered critical?


Out of curiosity, can you point me at specific weaknesses in 2.3.35 that
we should be concerned about?  Are we talking about ITS#s 4923, 4925,
4938, 4966, or something else?

Is this something where they could only crash the server if they could
get direct access to send malformed LDAP queries, or is this something
that could potentially be abused through a third-party XSS-style attack?

There were a lot of bugs in 2.3.35, but basically if someone can send a query to the server, regardless of anonymous vs auth, they can crash it.

It is ITS#5119.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- Re: large ldap server recommendation
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: large ldap server recommendation
  - From: Brad Knowles <b.knowles@its.utexas.edu>

Prev by Date: Re: large ldap server recommendation
Next by Date: Re: ldap_tls call failed: Can't contact LDAP server
Index(es):
- Chronological
- Thread