1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200611-25 / openldap |
| Release Date | November 28, 2006 |
| Latest Revision | November 28, 2006: 01 |
| Impact | normal |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| net-nds/openldap | < 2.3.27-r3 | >= 2.3.27-r3, revision >= 2.2.28-r5, revision >= 2.1.30-r8 | All supported architectures |
Related bugreports: #154349
A flaw in OpenLDAP allows remote unauthenticated attackers to cause a Denial of Service.
OpenLDAP is a suite of LDAP-related applications and development tools.
Evgeny Legerov has discovered that the truncation of an incoming authcid longer than 255 characters and ending with a space as the 255th character will lead to an improperly computed name length. This will trigger an assert in the libldap code.
By sending a BIND request with a specially crafted authcid parameter to an OpenLDAP service, a remote attacker can cause the service to crash.
There is no known workaround at this time.
All OpenLDAP users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose "net-nds/openldap" |