USN-1100-1: OpenLDAP vulnerabilities

Releases

• Ubuntu 10.10
• Ubuntu 10.04
• Ubuntu 9.10
• Ubuntu 8.04

Packages

• openldap - OpenLDAP utilities
• openldap2.3 - OpenLDAP utilities

Details

It was discovered that OpenLDAP did not properly check forwarded
authentication failures when using a consumer server and chain overlay. If
OpenLDAP were configured in this manner, an attacker could bypass
authentication checks by sending an invalid password to a consumer server.
(CVE-2011-1024)

It was discovered that OpenLDAP did not properly perform authentication
checks to the rootdn when using the back-ndb backend. An attacker could
exploit this to access the directory by sending an arbitrary password.
Ubuntu does not ship OpenLDAP with back-ndb support by default. This issue
did not affect Ubuntu 8.04 LTS. (CVE-2011-1025)

It was discovered that OpenLDAP did not properly validate modrdn requests.
An unauthenticated remote user could use this to cause a denial of service
via application crash. (CVE-2011-1081)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10

• slapd - 2.4.18-0ubuntu1.2

Ubuntu 8.04

• slapd - 2.4.9-0ubuntu0.8.04.5

Ubuntu 10.10

• slapd - 2.4.23-0ubuntu3.5

Ubuntu 10.04

• slapd - 2.4.21-0ubuntu5.4

In general, a standard system update will make all the necessary changes.

References

• CVE-2011-1025
• CVE-2011-1081
• CVE-2011-1024