Bug#397673: [Pkg-openldap-devel] Bug#397673: CVE-2006-5779: OpenLDAP BIND Denial of Service Vulnerability

Quanah Gibson-Mount Wed, 08 Nov 2006 15:27:06 -0800

--On Wednesday, November 08, 2006 1:56 PM -0800 Quanah Gibson-Mount<[EMAIL PROTECTED]> wrote:



--On Wednesday, November 08, 2006 10:53 PM +0100 Stefan Fritsch
<[EMAIL PROTECTED]> wrote:

Can you supply actual details?  This statement isn't very useful
without them.


Ups. Of course:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5779
http://secunia.com/advisories/22750

Proof of concept exploit (not tested) is at
http://gleg.net/vulndisco_meta.shtml


I think upstream should handle this, I've already contacted the other OL
developers.

Of course, this guy is using CRAM-MD5, which isn't even a support SASL
mech for OpenLDAP, so it is an interesting bug...


Upstream patch available at:

<http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/getdn.c>

getdn.c  1.124.2.4 -> 1.124.2.5

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#397673: [Pkg-openldap-devel] Bug#397673: CVE-2006-5779: OpenLDAP BIND Denial of Service Vulnerability

Reply via email to