[Date Prev][Date Next] [Chronological] [Thread] [Top]

ITS#8046 - remote unauth DoS on 2.4.40

To: openldap-technical@openldap.org
Subject: ITS#8046 - remote unauth DoS on 2.4.40
From: "Paul B. Henson" <henson@acm.org>
Date: Fri, 6 Feb 2015 13:47:41 -0800
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=dRZkCJZK3cUbmCKqlCX5urllaRYKcG0yeBwYSQf/nJk=; b=QqlZDvTLSxZ9HL15wt5rRb0maznh0hrYMkj6epXZ1MIebj7WGle91C7ubFv4g1KTvq 2lvcg96yTb6b+1H2mgPPs1o1ony3q3ob4kgl0lfVp9MeEP9z3O4w7N8vw1A9N/HcZ0J/ BqkVAvTfumsdjXVtuqZHm1gZ1vE5exy8btoWb/LXPpz0VUvL4jm7tp82EFdd4y6+h0zM 3HljkZxtGh8/Jg/ruAmz3No/ACi94TMWie6BfDBXd/UghCv8qENj3NGmeM3WJD5cYDYy 01heZ49o6f+76m8ySLesS38CQoearWXICeZqyGgKelOlojhRrBo5fg93et7XtyIEqryb nefg==
User-agent: Mutt/1.5.23 (2014-03-12)

I haven't seen any announcement of this other than on security lists,
but there's an unauthenticated remote DoS bug in 2.4.40:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776991

The actual ITS is a bit confusing, the reporter at one point says he had
the issue with a beta version of 2.4.40 and it didn't work against
release, but debian confirmed it kills their official 2.4.40 package and
it caused a segfault against my gentoo 2.4.40 release, so if you're
running 2.4.40 (older versions not vulnerable), it's probably worth
applying the patch from head:

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a

I rebuilt my 2.4.40 with this and it no longer dies when the PoC query
is issued.

Follow-Ups:
- Re: ITS#8046 - remote unauth DoS on 2.4.40
  - From: Xin Li <delphij@delphij.net>

Prev by Date: NamingContexts and DN question
Next by Date: Re: ITS#8046 - remote unauth DoS on 2.4.40
Index(es):
- Chronological
- Thread