Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2014:026 | First vendor Publication | 2014-02-12 |
Vendor | Mandriva | Last vendor Modification | 2014-02-12 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A vulnerability has been discovered and corrected in openldap: The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search (CVE-2013-4449). The updated packages have been patched to correct this issue. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2014:026 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:22531 | |||
Oval ID: | oval:org.mitre.oval:def:22531 | ||
Title: | RHSA-2014:0126: openldap security and bug fix update (Moderate) | ||
Description: | The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:0126-00 CESA-2014:0126 CVE-2013-4449 | Version: | 8 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | openldap |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23794 | |||
Oval ID: | oval:org.mitre.oval:def:23794 | ||
Title: | ELSA-2014:0126: openldap security and bug fix update (Moderate) | ||
Description: | The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0126-00 CVE-2013-4449 | Version: | 6 |
Platform(s): | Oracle Linux 6 | Product(s): | openldap |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24289 | |||
Oval ID: | oval:org.mitre.oval:def:24289 | ||
Title: | ELSA-2014:0206: openldap security update (Moderate) | ||
Description: | OpenLDAP is an open source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. The openldap package contains configuration files, libraries, and documentation for OpenLDAP. A denial of service flaw was found in the way the OpenLDAP server daemon (slapd) performed reference counting when using the rwm (rewrite/remap) overlay. A remote attacker able to query the OpenLDAP server could use this flaw to crash the server by immediately unbinding from the server after sending a search request. (CVE-2013-4449) Red Hat would like to thank Michael Vishchers from Seven Principles AG for reporting this issue. All openldap users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0206-00 CVE-2013-4449 | Version: | 5 |
Platform(s): | Oracle Linux 5 | Product(s): | openldap |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24327 | |||
Oval ID: | oval:org.mitre.oval:def:24327 | ||
Title: | RHSA-2014:0206: openldap security update (Moderate) | ||
Description: | The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:0206-00 CESA-2014:0206 CVE-2013-4449 | Version: | 7 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | openldap |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27309 | |||
Oval ID: | oval:org.mitre.oval:def:27309 | ||
Title: | DEPRECATED: ELSA-2014-0126 -- openldap security and bug fix update (moderate) | ||
Description: | [2.4.23-34.1] - fix: segfault on certain queries with rwm overlay (#1058250) [2.4.23-34] - fix: deadlock during SSL_ForceHandshake (#996373) + revert nss-handshake-threadsafe.patch | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-0126 CVE-2013-4449 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | openldap |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27346 | |||
Oval ID: | oval:org.mitre.oval:def:27346 | ||
Title: | DEPRECATED: ELSA-2014-0206 -- openldap security update (moderate) | ||
Description: | [2.3.43-27] - fix: CVE-2013-4449 segfault on certain queries with rwm overlay (#1064145) [2.3.43-26] - fix: do not send IPv6 DNS queries when IPv6 is disabled on the host (#812772) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-0206 CVE-2013-4449 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | openldap |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-06-22 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2016-0069.nasl - Type : ACT_GATHER_INFO |
2015-05-27 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2622-1.nasl - Type : ACT_GATHER_INFO |
2015-05-18 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_openldap2-20150423-150413.nasl - Type : ACT_GATHER_INFO |
2015-04-20 | Name : The remote Debian host is missing a security update. File : debian_DLA-203.nasl - Type : ACT_GATHER_INFO |
2015-03-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3209.nasl - Type : ACT_GATHER_INFO |
2014-03-11 | Name : The remote Fedora host is missing a security update. File : fedora_2014-2967.nasl - Type : ACT_GATHER_INFO |
2014-03-02 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-294.nasl - Type : ACT_GATHER_INFO |
2014-02-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0206.nasl - Type : ACT_GATHER_INFO |
2014-02-25 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140224_openldap_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2014-02-25 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0206.nasl - Type : ACT_GATHER_INFO |
2014-02-25 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0206.nasl - Type : ACT_GATHER_INFO |
2014-02-13 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-026.nasl - Type : ACT_GATHER_INFO |
2014-02-12 | Name : The remote Fedora host is missing a security update. File : fedora_2014-2012.nasl - Type : ACT_GATHER_INFO |
2014-02-04 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0126.nasl - Type : ACT_GATHER_INFO |
2014-02-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140203_openldap_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2014-02-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0126.nasl - Type : ACT_GATHER_INFO |
2014-02-04 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0126.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:44:19 |
|
2014-02-12 17:22:48 |
|