slapo-pcache (overlays/pcache.c) in slapd in OpenLDAP before 2.3.39, when running as a proxy-caching server, allocates memory using a malloc variant instead of calloc, which prevents an array from being initialized properly and might allow attackers to cause a denial of service (segmentation fault) via unknown vectors that prevent the array from being null terminated.

A vulnerability was found in slapo-pcache in slapd of OpenLDAP prior to 2.3.39 when running as a proxy-caching server. It would allocate memory using a malloc variant rather than calloc, which prevented an array from being properly initialized and could possibly allow attackers to cause a denial of service (CVE-2007-5708).

Two vulnerabilities were found in how slapd handled modify (prior to 2.3.26) and modrdn (prior to 2.3.29) requests with NOOP control on objects stored in the BDB backend. An authenticated user with permission to perform modify (CVE-2007-6698) or modrdn (CVE-2008-0658) operations could cause slapd to crash.

The updated packages have been patched to correct these issues.

Several remote vulnerabilities have been discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-5707     Thomas Sesselmann discovered that slapd could be crashed     by a malformed modify requests.

  - CVE-2007-5708     Toby Blade discovered that incorrect memory handling in     slapo-pcache could lead to denial of service through     crafted search requests.

  - CVE-2007-6698     It was discovered that a programming error in the     interface to the BDB storage backend could lead to     denial of service through crafted modify requests.

  - CVE-2008-0658     It was discovered that a programming error in the     interface to the BDB storage backend could lead to     denial of service through crafted modrdn requests.

The remote host is affected by the vulnerability described in GLSA-200803-28 (OpenLDAP: Denial of Service vulnerabilities)

    The following errors have been discovered in OpenLDAP:
    Tony Blake discovered an error which exists within the normalisation of     'objectClasses' (CVE-2007-5707).
    Thomas Sesselmann reported that, when running as a proxy-caching server     the 'add_filter_attrs()' function in servers/slapd/overlay/pcache.c     does not correctly NULL terminate 'new_attrs' (CVE-2007-5708).
    A double-free bug exists in attrs_free() in the file     servers/slapd/back-bdb/modrdn.c, which was discovered by Jonathan     Clarke (CVE-2008-0658).
  Impact :

    A remote attacker can cause a Denial of Serivce by sending a malformed     'objectClasses' attribute, and via unknown vectors that prevent the     'new_attrs' array from being NULL terminated, and via a modrdn     operation with a NOOP (LDAP_X_NO_OPERATION) control.
  Workaround :

    There is no known workaround at this time.

This update fixes multiple flaws that could cause slapd to crash.
(CVE-2007-5707 / CVE-2007-5708)

Thomas Sesselmann discovered that the OpenLDAP slapd server did not properly handle certain modify requests. A remote attacker could send malicious modify requests to the server and cause a denial of service.
(CVE-2007-5707)

Toby Blake discovered that slapd did not properly terminate an array while running as a proxy-caching server. A remote attacker may be able to send crafted search requests to the server and cause a denial of service. This issue only affects Ubuntu 7.04 and 7.10. (CVE-2007-5708).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes multiple flaws that could cause slapd to crash (CVE-2007-5707, CVE-2007-5708).

- Fri Nov 2 2007 Jan Safranek <jsafranek at redhat.com>     2.3.34-4.fc7

    - fix various security flaws (#360081)

    - Fri Jul 13 2007 Jan Safranek <jsafranek at redhat.com>       2.3.34-3.fc7

    - Fix initscript return codes (#242667)

    - Provide overlays including smbk5pwd (as modules;
      #246036, #245896, #220895)

    - Add available modules to config file

    - do not create script in /tmp on startup (bz#188298)

    - add compat-slapcat to openldap-compat (bz#179378)

    - do not import ddp services with migrate_services.pl       (bz#201183)

  - sort the hosts by address, preventing duplicities in     migrate*nis*.pl (bz#201540)

  - start slupd for each replicated database (bz#210155)

    - add ldconfig to devel post/postun (bz#240253)

    - include misc.schema in default slapd.conf (bz#147805)

    - Mon Apr 23 2007 Jan Safranek <jsafranek at redhat.com>       2.3.34-2.fc7

    - slapadd during package update is now quiet (bz#224581)

    - use _localstatedir instead of var/ during build       (bz#220970)

    - bind-libbind-devel removed from BuildRequires       (bz#216851)

    - slaptest is now quiet during service ldap start, if       there is no error/warning (bz#143697)

  - libldap_r.so now links with pthread (bz#198226)

    - do not strip binaries to produce correct .debuginfo       packages (bz#152516)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Fri Nov 2 2007 Jan Safranek <jsafranek at redhat.com>     2.3.30-3.fc6

    - add ldconfig to devel post/postun (bz#240253)

    - do not create script in /tmp on startup (bz#188298)

    - start slupd for each replicated database (bz#210155)

    - fix security issues #359851 and #359861

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Fri Nov 2 2007 Jan Safranek <jsafranek at redhat.com>     2.3.39-1.fc8

    - new upstream version, fixing few security flaws       (#362991)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

BugTraq reports :

OpenLDAP is prone to multiple remote denial-of-service vulnerabilities because of an incorrect NULL-termination issue and a double-free issue.

ID	Name	Product	Family	Severity
37371	Mandriva Linux Security Advisory : openldap (MDVSA-2008:058)	Nessus	Mandriva Local Security Checks	high
31811	Debian DSA-1541-1 : openldap2.3 - several vulnerabilities	Nessus	Debian Local Security Checks	high
31634	GLSA-200803-28 : OpenLDAP: Denial of Service vulnerabilities	Nessus	Gentoo Local Security Checks	high
29536	SuSE 10 Security Update : openldap2 (ZYPP Patch Number 4679)	Nessus	SuSE Local Security Checks	high
29215	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : openldap vulnerabilities (USN-551-1)	Nessus	Ubuntu Local Security Checks	high
28327	openSUSE 10 Security Update : openldap2 (openldap2-4677)	Nessus	SuSE Local Security Checks	high
28305	Fedora 7 : openldap-2.3.34-4.fc7 (2007-3124)	Nessus	Fedora Local Security Checks	high
28232	Fedora Core 6 : openldap-2.3.30-3.fc6 (2007-741)	Nessus	Fedora Local Security Checks	high
28153	Fedora 8 : openldap-2.3.39-1.fc8 (2007-2796)	Nessus	Fedora Local Security Checks	high
27601	FreeBSD : openldap -- multiple remote denial of service vulnerabilities (db449245-870d-11dc-a3ec-001921ab2fa4)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2007-5708

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high