[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SRM] (PRSC) Security fixes and possible database corruption

On Mon, Mar 28, 2011 at 10:41:23PM +0200, Matthijs Möhlmann wrote:
> CVE-2011-1081:
> modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to cause a denial of service (daemon crash) via a relative Distinguished Name (DN) modification request (aka MODRDN operation) that contains an empty value for the OldDN field.
> Fix: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/modrdn.c.diff?hideattic=1&r1=text&tr1=1.181&r2=text&tr2=1.182&f=c
> Impact: High, possibility to remotely crash slapd.

This is new in the tracker, and so might be DSA material. Security team,
can you decide if this should be a point release or a DSA please?

> I would like to fix the above bugs and have it uploaded to squeeze. Am I allowed to fix these
> issues for squeeze? And should I upload these through stable-proposed-updates after you
> reviewed the debdiff of course?

Not speaking for the release team, but from experience: the issues should
be fixed in unstable first (I notice the bug is pending) and then a debdiff
prepared and submitted to the release team for consideration.

I'm tracking these three issues - it would help me greatly to keep PRSC
somewhere in the subject.


Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Attachment: signature.asc
Description: Digital signature

Reply to: