Home / mailings [USN-2742-1] OpenLDAP vulnerabilities
Posted on 16 September 2015
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-2742-1
September 16, 2015
openldap vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in OpenLDAP.
Software Description:
- openldap: OpenLDAP utilities
Details:
Denis Andzakovic discovered that OpenLDAP incorrectly handled certain BER=
data. A remote attacker could possibly use this issue to cause OpenLDAP t=
o
crash, resulting in a denial of service. (CVE-2015-6908)
Dietrich Clauss discovered that the OpenLDAP package incorrectly shipped
with a potentially unsafe default access control configuration. Depending=
on how the database is configure, this may allow users to impersonate
others by modifying attributes such as their Unix user and group numbers.=
(CVE-2014-9713)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
slapd 2.4.31-1+nmu2ubuntu12.3
Ubuntu 14.04 LTS:
slapd 2.4.31-1+nmu2ubuntu8.2
Ubuntu 12.04 LTS:
slapd 2.4.28-1.1ubuntu4.6
In general, a standard system update will make all the necessary changes.=
For existing installations, access rules that begin with "to *" need to b=
e
manually adjusted to remove any instances of "by self write".
References:
http://www.ubuntu.com/usn/usn-2742-1
CVE-2014-9713, CVE-2015-6908
Package Information:
https://launchpad.net/ubuntu/+source/openldap/2.4.31-1+nmu2ubuntu12.3
https://launchpad.net/ubuntu/+source/openldap/2.4.31-1+nmu2ubuntu8.2
https://launchpad.net/ubuntu/+source/openldap/2.4.28-1.1ubuntu4.6
