|
Message-ID: <1454752014.325860.1299014022676.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Date: Tue, 1 Mar 2011 16:13:42 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: Thomas Biege <thomas@...e.de> Cc: "Steven M. Christey" <coley@...us.mitre.org>, oss-security@...ts.openwall.com Subject: Re: CVE Request -- OpenLDAP -- two issues Please use CVE-2011-1081 for this new DoS. Thanks. -- JB ----- Original Message ----- > The following might also need a CVE-ID. > > https://bugzilla.novell.com/show_bug.cgi?id=674985#c1 > ------------------------------------------------------------------------------ > http://www.openldap.org/its/index.cgi/Software Bugs?id=6768 > > That's a pretty bad DOS. Everybody (even unauthenticated users) can > kill the > server by submitting a MODRDN request with an empty "olddn" value and > "remove > old RDN" set (-r). Example: > > ldapmodrdn -x -H ldap://ldapserver -r '' o=test > ------------------------------------------------------------------------------ > > > Am Freitag 25 Februar 2011 17:18:08 schrieb Josh Bressers: > > ----- Original Message ----- > > > Hello Josh, Steve, vendors, > > > > > > looks like the following two issues did not get a CVE identifiers > > > yet: > > > [1] http://secunia.com/advisories/43331/ > > > > The above advisory covers both bugs below. > > > > > > > [2] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607 > > > > CVE-2011-1024 openldap forwarded bind failure messages cause success > > > > > > > [3] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6661 > > > > CVE-2011-1025 openldap rootpw is not verified with slapd.conf > > > > > > Thanks. > > > > > > -- > Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support & Auditing > SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) > -- > Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. > -- Marie von Ebner-Eschenbach
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.