Ubuntu
openldap2.2 package

CVE-2008-2952: BER Decoding Remote DoS Vulnerability

Bug #249878 reported by SwissSign Operations Team on 2008-07-18

254

Affects		Status	Importance	Assigned to	Milestone
	openldap (Ubuntu)	Fix Released	Undecided	Kees Cook
	Dapper	Invalid	Undecided	Kees Cook
	openldap2.2 (Ubuntu)	Invalid	Undecided	Unassigned
	Dapper	Fix Released	Medium	Kees Cook
	openldap2.3 (Ubuntu)	Fix Released	Medium	Kees Cook
	Dapper	Fix Released	Medium	Kees Cook

Bug Description

A BER decoding bug has been discovered in slapd (supposedly all versions since 2003). All Ubuntu openldap packages seem affected. A fix has been released. See http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580

kind regards /markus

CVE References

2008-2952

Revision history for this message

Mathias Gug (mathiaz) wrote on 2008-07-24:

#1

This is not a problem in intrepid.

Changed in openldap2.2:
status:	New → Invalid

Revision history for this message

Mathias Gug (mathiaz) wrote on 2008-07-24:

#2

The version in dapper may be vulnerable. More investigation is required.

Revision history for this message

SwissSign Operations Team (ubuntu-bugs-swisssign) wrote on 2008-07-30:

#3

Hi & thanks

Why is this not a problem in intrepid? From what I understood all versions since 2003 are vulnerable.

> More investigation is required.
Does that mean that you need to do more investigation or that someone else (supposedly me) should?

krgds /m

Revision history for this message

Kees Cook (kees) wrote on 2008-07-31:

#4

The fixes were already included in the Intrepid upload of openldap. Dapper through Hardy need the update, and have been delayed while working on other higher priority issues.

Changed in openldap2.2:
assignee:	nobody → kees
status:	New → In Progress

Revision history for this message

Kees Cook (kees) wrote on 2008-08-01:

#5

This has been published: http://www.ubuntu.com/usn/usn-634-1

Changed in openldap2.2:
importance:	Undecided → Medium
status:	In Progress → Fix Released
Changed in openldap2.3:
assignee:	nobody → kees
status:	New → Fix Released
assignee:	nobody → kees
importance:	Undecided → Medium
status:	New → Fix Released
importance:	Undecided → Medium
Changed in openldap:
assignee:	nobody → kees
status:	New → Invalid
assignee:	nobody → kees
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.