Gentoo Logo

OpenLDAP: Denial of Service vulnerability


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200611-25 / openldap
Release Date November 28, 2006
Latest Revision November 28, 2006: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-nds/openldap < 2.3.27-r3 >= 2.3.27-r3, revision >= 2.2.28-r5, revision >= 2.1.30-r8 All supported architectures

Related bugreports: #154349


A flaw in OpenLDAP allows remote unauthenticated attackers to cause a Denial of Service.

2.  Impact Information


OpenLDAP is a suite of LDAP-related applications and development tools.


Evgeny Legerov has discovered that the truncation of an incoming authcid longer than 255 characters and ending with a space as the 255th character will lead to an improperly computed name length. This will trigger an assert in the libldap code.


By sending a BIND request with a specially crafted authcid parameter to an OpenLDAP service, a remote attacker can cause the service to crash.

3.  Resolution Information


There is no known workaround at this time.


All OpenLDAP users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose "net-nds/openldap"

4.  References


Page updated November 28, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.