[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ITS#8046 - remote unauth DoS on 2.4.40

To: "Paul B. Henson" <henson@acm.org>, openldap-technical@openldap.org
Subject: Re: ITS#8046 - remote unauth DoS on 2.4.40
From: Xin Li <delphij@delphij.net>
Date: Fri, 06 Feb 2015 14:09:47 -0800
Cc: "hyc@symas.com >> Howard Chu" <hyc@symas.com>, whm@stanford.edu, ryan@nardis.ca
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1423260588; x=1423274988; bh=upXY+2DbaFzvLrCotk4CNyvrHIw+QedJXSEAS11Sfzk=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=KniHSESHwtAV0U4Jv7uaoainS9z1h+MwbbPpQNwAAbLQBfDTIW8w/Tae0vl2QeGng 2tHqD+kUtO9E5RZJgeGjmRCz9PsaPiw11l6cw9B5Vc+aHtw1eIHTod/MByC7ww0aLq wIVfC0BcRLP8zQxPZZYqA1ZT4b6i1Q4Bjrbagjqs=
In-reply-to: <20150206214741.GE4951@bender.unx.csupomona.edu>
Organization: The FreeBSD Project
References: <20150206214741.GE4951@bender.unx.csupomona.edu>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 02/06/15 13:47, Paul B. Henson wrote:
> I haven't seen any announcement of this other than on security
> lists, but there's an unauthenticated remote DoS bug in 2.4.40:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776991
> 
> The actual ITS is a bit confusing, the reporter at one point says
> he had the issue with a beta version of 2.4.40 and it didn't work
> against release, but debian confirmed it kills their official
> 2.4.40 package and it caused a segfault against my gentoo 2.4.40
> release, so if you're running 2.4.40 (older versions not
> vulnerable), it's probably worth applying the patch from head:
> 
> http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a
>
>  I rebuilt my 2.4.40 with this and it no longer dies when the PoC
> query is issued.
> 

Is there a CVE number for this one?

Thanks in advance!

Cheers,
- -- 
Xin LI <delphij@delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.1 (FreeBSD)

iQIcBAEBCgAGBQJU1TupAAoJEJW2GBstM+nsqmEP/04bi99MWG1EAZCi8ndnChu+
4n7DL0nB0emIvTP/UboKQcdSPNovDxPuNTZyhNaGEziD8PePGlkfTSanNCvMCl2j
NSnae0K6YSdiqX452jHcdlLbm876S13AxZsbXCSmcyM0wPgnUiaXOJ51L968JdYm
D8iJo4KDA0zxJCOOlb07SgcdgeVJ62I59mmg9qOwZrZvgeSdULv3YhE+v8Xwj3sf
SW4svM0fZm8a2v7zJ/G/ME7od8tteIZYa4DeSkFkIOmHS4TjXWiciWMBTIcgfuba
a2vy8IDK0+tYyiF4LxxOnEDGe5Bmx1nAyzdoSr4UKuWXBNvYerwZocB2/vZO6Vy+
t7ufsEi/H2W0rCpeaSsg0w4ktjm8cUT+l+sWveAVh8UGAlCzYYbE+k+mRTwu9eqg
hP0sruId3ZoT6hL54iPgTYsSR7rffL//twa29u1464k+/OFkbwyAdxJGW7Dotivz
7ArupIwQFoHSquatn3dfZDCHZ0F+Ay6YTwhMUeqpa8xk4pFMuvHdhKRyAtFfS4pA
hFbTL6DIIKk8MMpeiXrHXLLZAbJibb/awVwCko641QtFzsXpQKFkcSJ89zIHVZhx
i7o2F5pHjL5TM03xMJ51oWQiplLVhJ6tcmz+yn0yDHxy5dQv59Pad/BRcx6gynml
sLZ3HXVWv4fspb+ql7DW
=89su
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: ITS#8046 - remote unauth DoS on 2.4.40
  - From: "Paul B. Henson" <henson@acm.org>

References:
- ITS#8046 - remote unauth DoS on 2.4.40
  - From: "Paul B. Henson" <henson@acm.org>

Prev by Date: ITS#8046 - remote unauth DoS on 2.4.40
Next by Date: Re: ITS#8046 - remote unauth DoS on 2.4.40
Index(es):
- Chronological
- Thread