Detections
Analytics

OracleVM 3.2 : openldap (OVMSA-2016-0069)

medium Nessus Plugin ID 91749

Language:

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

 - CVE-2015-6908 openldap: ber_get_next denial of service vulnerability (#1263170)

 - fix: syncprov psearch race condition (#999811)

 - fix: CVE-2013-4449 segfault on certain queries with rwm overlay (#1064146)

 - fix: do not send IPv6 DNS queries when IPv6 is disabled on the host (#812772)

 - fix: disable static libraries stripping (#684630)

 - fix: memory leaks in syncrepl and slap_sl_free (#741184)

 - new feature update: honor priority/weight with ldap_domain2hostlist (#733435)

 - fix: initscript marked as %config incorrectly (#738768)

 - new feature: honor priority/weight with ldap_domain2hostlist (#733435)

 - fix: strict aliasing warnings during package build (#732381)

 - fix: OpenLDAP packages lack debug data (#684630)

 - doc: Document preferred use of TLS_CACERT instead of TLS_CACERTDIR to specify Certificate Authorities (#699652)

 - fix: libldap ignores a directory of CA certificates if any of them can't be read (#609722)

 - fix: Migration: migrate_all_offline.sh can't handle duplicate entries (#563148)

 - fix: Init script is working wrong if database recovery is needed (#604092)

 - fix: CVE-2011-1024 ppolicy forwarded bind failure messages cause success (#680486)

 - fix: slapd concurrent access to connections causes slapd to silently die (#641953)

 - backport: ldap_init_fd API function

 - fix: ppolicy crash while replace-deleting userPassword attribute (#665951)

 - fix: connection freeze when using TLS (#591419)

 - don't remove task twice during replication

 - fixed segfault issues in modrdn (#606375)

 - added patch handling null char in TLS to compat package (#606375, patch backported by Jan Vcelak )

Solution

Update the affected openldap / openldap-clients packages.

See Also

https://oss.oracle.com/pipermail/oraclevm-errata/2016-June/000489.html

Plugin Details

Severity: Medium

ID: 91749

File Name: oraclevm_OVMSA-2016-0069.nasl

Version: 2.6

Type: local

Published: 6/22/2016

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:openldap, p-cpe:/a:oracle:vm:openldap-clients, cpe:/o:oracle:vm_server:3.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/21/2016

Vulnerability Publication Date: 3/19/2011

Reference Information

CVE: CVE-2011-1024, CVE-2013-4449, CVE-2015-6908

BID: 46363, 63190