-
openldap2.2 (2.2.26-3ubuntu0.2) breezy-security; urgency=low
* SECURITY UPDATE: Denial of service possible with a crafted remote
LDAP BIND request due to an assert failure.
* libraries/libldap/getdn.c: check for string end conditions, as done
in upstream CVS.
* References
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/getdn.c.diff?r1=1.133&r2=1.134
CVE-2006-5779
-- Kees Cook <email address hidden> Mon, 20 Nov 2006 13:43:38 -0800
-
openldap2.2 (2.2.26-3ubuntu0.1) breezy-security; urgency=low
* SECURITY UPDATE: Crash/arbitrary code execution with crafted host names.
* servers/slurpd/st.c, St_read():
- Do not sprintf arbitrarily long strings into fixed-size tbuf.
- Patch ported from upstream CVS commit:
http://www.openldap.org/devel/cvsweb.cgi/servers/slurpd/st.c.diff?
r1=1.21&r2=1.22&hideattic=1&sortbydate=0&f=u
- CVE-2006-2754
-- Martin Pitt <email address hidden> Mon, 26 Jun 2006 12:04:39 +0000
-
openldap2.2 (2.2.26-3) unstable; urgency=low
* [SECURITY] Applied the patch available at
http://bugzilla.padl.com/show_bug.cgi?id=210
to force libldap to really use TLS when requested in /etc/ldap/ldap.conf
(cf. CAN-2005-2069). Clients still will use libldap2 from openldap2
source package so this is only to prepare unleashing the libraries of
OpenLDAP 2.2 for unstable...
-- Torsten Landschoff <email address hidden> Sun, 3 Jul 2005 10:41:37 +0200
