Mageia 2020-0200: openldap security update
Summary
Updated openldap packages fix security vulnerabilities:
When both the nops module and the member of overlay are enabled, attempts to
free a buffer that was allocated on the stack, which allows remote attackers to
cause a denial of service (slapd crash) via a member MODDN operation
(CVE-2017-17740).
In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested
boolean expressions can result in denial of service (daemon crash)
(CVE-2020-12243).
The nops overlay has been dropped from the package, fixing CVE-2017-17740.
The openldap package has been updated to version 2.4.50, fixing CVE-2020-12243
and several other bugs.
References
- https://bugs.mageia.org/show_bug.cgi?id=26569
- https://bugs.mageia.org/show_bug.cgi?id=24076
- https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/NQ6OHLWNVRKIJU3HI5YGGAZL54H2RB73/
- https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/VMMBUCQHEDF6QA4CDOONP2CDQEOR5YQA/
- https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/FUOYA6YCHBXMLANBJMSO22JD2NB22WGC/
- - https://www.debian.org/security/2020/dsa-4666
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12243
Resolution
MGASA-2020-0200 - Updated openldap packages fix security vulnerabilities
SRPMS
- 7/core/openldap-2.4.50-1.1.mga7