==========================================================================
Ubuntu Security Notice USN-2742-1
September 16, 2015
openldap vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 15.04
– Ubuntu 14.04 LTS
– Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in OpenLDAP.
Software Description:
– openldap: OpenLDAP utilities
Details:
Denis Andzakovic discovered that OpenLDAP incorrectly handled certain BER
data. A remote attacker could possibly use this issue to cause OpenLDAP to
crash, resulting in a denial of service. (CVE-2015-6908)
Dietrich Clauss discovered that the OpenLDAP package incorrectly shipped
with a potentially unsafe default access control configuration. Depending
on how the database is configure, this may allow users to impersonate
others by modifying attributes such as their Unix user and group numbers.
(CVE-2014-9713)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
slapd 2.4.31-1+nmu2ubuntu12.3
Ubuntu 14.04 LTS:
slapd 2.4.31-1+nmu2ubuntu8.2
Ubuntu 12.04 LTS:
slapd 2.4.28-1.1ubuntu4.6
In general, a standard system update will make all the necessary changes.
For existing installations, access rules that begin with “to *” need to be
manually adjusted to remove any instances of “by self write”.
References:
http://www.ubuntu.com/usn/usn-2742-1
CVE-2014-9713, CVE-2015-6908
Package Information:
https://launchpad.net/ubuntu/+source/openldap/2.4.31-1+nmu2ubuntu12.3
https://launchpad.net/ubuntu/+source/openldap/2.4.31-1+nmu2ubuntu8.2
https://launchpad.net/ubuntu/+source/openldap/2.4.28-1.1ubuntu4.6
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2
iQIcBAEBCgAGBQJV+axlAAoJEGVp2FWnRL6TSsgQAKAYM0xbt9Y6ilp9FF2cd9Ux
cAFBS23g8WojznAjmjHQ6bmhhcxOPjgIewt5Uiawu76qegBzRKhUQsrXEqq4i0ha
uwpSjtGcwLaPOSpC9aMzf13I3qW4IirKihDV1jgC03rmOQQVIOkNUuP3Aqbf6zRQ
FgSno6foNZn4IkOM+xFvuY2k/W+E+rqA83f36IXQ0kXKklqUxrm+XE4R0QyWJXTK
RJ1BheoDZQ1m+DCS2C4vt7njauejZpfkLdUBe6XX81abThBA4jHUw38h4otobsp2
/VI7VdTJkdIOsAdIakdiBYwOCbS1J1s8QdRi0obu+8BWZLbuQ+yZiHpo3DfEKi4I
clwth8widWHshsuf6bgz32G/KkkcFvjSmwml6IWgrFRxlLvV/tAqW7IF9hza6I9X
LSzoBDazVONZwnHTEvsn9bU9cdcW+DfhgQNpD+RMRzREkkcmsz5KB10pEdrVRP9z
ML8GJI0WvrT9kOSZ7XW7YC0GFBIhX20sJnCZ/pgRhxEcb78luL+a3yP8+aGjNqiI
vYKmh2g9o2zuAzFw7mv0d2dHgBGYT+oupasYNJTurey5MxPDCOAiGFo4pdjxoFp8
iNtQa+pAXTQfC9f9vbGFXvjvb5VyWmW+afYemHVhu/wriG6GWtpHbpOsaNiMck4v
oX87VDXh2v1CDI03+rwf
=ENU/
—–END PGP SIGNATURE—–
—