Executive Summary
Summary | |
---|---|
Title | openldap security and bug fix update |
Informations | |||
---|---|---|---|
Name | RHSA-2012:0899 | First vendor Publication | 2012-06-20 |
Vendor | RedHat | Last vendor Modification | 2012-06-20 |
Severity (Vendor) | Low | Revision | 04 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:H/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 2.6 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | High |
Cvss Expoit Score | 4.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated openldap packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. A denial of service flaw was found in the way the OpenLDAP server daemon (slapd) processed certain search queries requesting only attributes and no values. In certain configurations, a remote attacker could issue a specially-crafted LDAP search query that, when processed by slapd, would cause slapd to crash due to an assertion failure. (CVE-2012-1164) These updated openldap packages include numerous bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.3 Technical Notes for information on the most significant of these changes. Users of OpenLDAP are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenLDAP daemons will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 732916 - SASL_NOCANON option missing in ldap.conf manual page 742023 - Default SSL certificate bundle is not found by openldap library 742163 - Overlay constraint with count option work bad with modify operation 743781 - ldapsearch crashes with invalid prameters 745470 - missing options in manual pages of client tools 783445 - replication (syncrepl) with TLS causes segfault 784203 - Duplicate close() calls in OpenLDAP 790687 - openldap should be using portreserve 796808 - slapd segfaults when certificate key cannot be loaded 802514 - CVE-2012-1164 openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry 807363 - openldap libraries leak memory when following referrals 816168 - memory leak: def_urlpre is not freed 818844 - MozNSS CA cert dir does not work together with PEM CA cert file |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2012-0899.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:21504 | |||
Oval ID: | oval:org.mitre.oval:def:21504 | ||
Title: | RHSA-2012:0899: openldap security and bug fix update (Low) | ||
Description: | slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:0899-04 CESA-2012:0899 CVE-2012-1164 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | openldap |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23631 | |||
Oval ID: | oval:org.mitre.oval:def:23631 | ||
Title: | ELSA-2012:0899: openldap security and bug fix update (Low) | ||
Description: | slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:0899-04 CVE-2012-1164 | Version: | 6 |
Platform(s): | Oracle Linux 6 | Product(s): | openldap |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27559 | |||
Oval ID: | oval:org.mitre.oval:def:27559 | ||
Title: | DEPRECATED: ELSA-2012-0899 -- openldap security and bug fix update (low) | ||
Description: | [2.4.23-26] - fix: MozNSS CA cert dir does not work together with PEM CA cert file (#818844) - fix: memory leak: def_urlpre is not freed (#816168) - fix update: Default SSL certificate bundle is not found by openldap library (#742023) [2.4.23-25] - fix update: Default SSL certificate bundle is not found by openldap library (#742023) [2.4.23-24] - fix update: Default SSL certificate bundle is not found by openldap library (#742023) - fix: memberof overlay on the frontend database causes server segfault (#730745) [2.4.23-23] - security fix: CVE-2012-1164: assertion failure by processing search queries requesting only attributes for particular entry (#813162) [2.4.23-22] - fix: libraries leak memory when following referrals (#807363) [2.4.23-21] - fix: ldapsearch crashes with invalid parameters (#743781) - fix: replication (syncrepl) with TLS causes segfault (#783445) - fix: openldap server in MirrorMode sometimes fails to resync via syncrepl (#784211) - use portreserve to reserve LDAPS port (636/tcp+udp) (#790687) - fix: missing options in manual pages of client tools (#745470) - fix: SASL_NOCANON option missing in ldap.conf manual page (#732916) - fix: slapd segfaults when certificate key cannot be loaded (#796808) - Jan Synacek <jsynacek@redhat.com> + fix: overlay constraint with count option work bad with modify operation (#742163) + fix: Default SSL certificate bundle is not found by openldap library (#742023) + fix: Duplicate close() calls in OpenLDAP (#784203) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-0899 CVE-2012-1164 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | openldap |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-14 | Name : Mandriva Update for openldap MDVSA-2012:130 (openldap) File : nvt/gb_mandriva_MDVSA_2012_130.nasl |
2012-07-30 | Name : CentOS Update for openldap CESA-2012:0899 centos6 File : nvt/gb_CESA-2012_0899_openldap_centos6.nasl |
2012-07-19 | Name : Fedora Update for openldap FEDORA-2012-10023 File : nvt/gb_fedora_2012_10023_openldap_fc16.nasl |
2012-06-22 | Name : RedHat Update for openldap RHSA-2012:0899-04 File : nvt/gb_RHSA-2012_0899-04_openldap.nasl |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-05-27 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2622-1.nasl - Type : ACT_GATHER_INFO |
2015-04-20 | Name : The remote Debian host is missing a security update. File : debian_DLA-203.nasl - Type : ACT_GATHER_INFO |
2014-07-01 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201406-36.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-101.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-0899.nasl - Type : ACT_GATHER_INFO |
2012-09-06 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-130.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120620_openldap_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-07-18 | Name : The remote Fedora host is missing a security update. File : fedora_2012-10023.nasl - Type : ACT_GATHER_INFO |
2012-07-11 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-0899.nasl - Type : ACT_GATHER_INFO |
2012-06-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0899.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:56:04 |
|