-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:055 http://www.mandriva.com/security/ _______________________________________________________________________ Package : openldap Date : March 30, 2011 Affected: 2009.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been identified and fixed in openldap: chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24, when a master-slave configuration with a chain overlay and ppolicy_forward_updates (aka authentication-failure forwarding) is used, allows remote authenticated users to bypass external-program authentication by sending an invalid password to a slave server (CVE-2011-1024). modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to cause a denial of service (daemon crash) via a relative Distinguished Name (DN) modification request (aka MODRDN operation) that contains an empty value for the OldDN field (CVE-2011-1081). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1024 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1081 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 83ccec2a20904df9a0ca143da248d5d9 2009.0/i586/libldap2.4_2-2.4.11-3.4mdv2009.0.i586.rpm 71b97d10738a74644373e91269eaeed6 2009.0/i586/libldap2.4_2-devel-2.4.11-3.4mdv2009.0.i586.rpm 9d8ed8fde6288f8883bb1d13344e047a 2009.0/i586/libldap2.4_2-static-devel-2.4.11-3.4mdv2009.0.i586.rpm fb3d985950e150a02e8c230a311051c3 2009.0/i586/openldap-2.4.11-3.4mdv2009.0.i586.rpm ba4a65282d12a598e1e951080a18565f 2009.0/i586/openldap-clients-2.4.11-3.4mdv2009.0.i586.rpm ed18a20fa96960cfc10034c732b56b2c 2009.0/i586/openldap-doc-2.4.11-3.4mdv2009.0.i586.rpm e68073473f08adf052cc166ea2f2c8e5 2009.0/i586/openldap-servers-2.4.11-3.4mdv2009.0.i586.rpm ff1dcd171670dbb0e84845761baec2d4 2009.0/i586/openldap-testprogs-2.4.11-3.4mdv2009.0.i586.rpm 7f9e1581e730cc69109db37dd63453ba 2009.0/i586/openldap-tests-2.4.11-3.4mdv2009.0.i586.rpm 1b9fa8641f7f41d4dd859e73170d0b34 2009.0/SRPMS/openldap-2.4.11-3.4mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: ecf971b49682fb6637c335f2790413db 2009.0/x86_64/lib64ldap2.4_2-2.4.11-3.4mdv2009.0.x86_64.rpm df29b7188a9b48141288950b00f2d7c9 2009.0/x86_64/lib64ldap2.4_2-devel-2.4.11-3.4mdv2009.0.x86_64.rpm fbdfbe6bb56cbe74c4c35a711450ae04 2009.0/x86_64/lib64ldap2.4_2-static-devel-2.4.11-3.4mdv2009.0.x86_64.rpm 6336cf856ad3fd9cb71e69f89ae621a5 2009.0/x86_64/openldap-2.4.11-3.4mdv2009.0.x86_64.rpm 08cbb77b99ee361f06650fd04ab954c4 2009.0/x86_64/openldap-clients-2.4.11-3.4mdv2009.0.x86_64.rpm 9f1bcc61420e107387d20afcbfbda8ca 2009.0/x86_64/openldap-doc-2.4.11-3.4mdv2009.0.x86_64.rpm a23b50b362db34c35d7e206147e40d1d 2009.0/x86_64/openldap-servers-2.4.11-3.4mdv2009.0.x86_64.rpm 0726dd1f6b44f0c215a3c27644e426db 2009.0/x86_64/openldap-testprogs-2.4.11-3.4mdv2009.0.x86_64.rpm e66476117347d5c19ac64b6bf3a00484 2009.0/x86_64/openldap-tests-2.4.11-3.4mdv2009.0.x86_64.rpm 1b9fa8641f7f41d4dd859e73170d0b34 2009.0/SRPMS/openldap-2.4.11-3.4mdv2009.0.src.rpm Mandriva Enterprise Server 5: 21948fd7dce8ce2c4c8fef768cfebda2 mes5/i586/libldap2.4_2-2.4.11-3.4mdvmes5.2.i586.rpm 7857e09b074a340d74373b90900d7669 mes5/i586/libldap2.4_2-devel-2.4.11-3.4mdvmes5.2.i586.rpm 9d2e59be28483bcf3acb4ff25089a390 mes5/i586/libldap2.4_2-static-devel-2.4.11-3.4mdvmes5.2.i586.rpm 2c3d52c077a56fa832d2d4209ad46834 mes5/i586/openldap-2.4.11-3.4mdvmes5.2.i586.rpm acc2717ad2b29a7b02ba7f943ef92416 mes5/i586/openldap-clients-2.4.11-3.4mdvmes5.2.i586.rpm d3deba0317c9f52ec463928a190dec51 mes5/i586/openldap-doc-2.4.11-3.4mdvmes5.2.i586.rpm f4da14b20cccf8a3059bf512ba839fb4 mes5/i586/openldap-servers-2.4.11-3.4mdvmes5.2.i586.rpm 3c34b1a9af109ee763cb26ee7615e60c mes5/i586/openldap-testprogs-2.4.11-3.4mdvmes5.2.i586.rpm a52cf23420f23ed3d3ac84abe446ae92 mes5/i586/openldap-tests-2.4.11-3.4mdvmes5.2.i586.rpm b9bced393f520051e28a489c6d8ff9ab mes5/SRPMS/openldap-2.4.11-3.4mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: aa04b9b7aa03aab2ec36bf7027339ea6 mes5/x86_64/lib64ldap2.4_2-2.4.11-3.4mdvmes5.2.x86_64.rpm 7ef3c991e2bc597b527af6b1f4fbbe45 mes5/x86_64/lib64ldap2.4_2-devel-2.4.11-3.4mdvmes5.2.x86_64.rpm 978ea5eed1b8957f352503e1d1036f37 mes5/x86_64/lib64ldap2.4_2-static-devel-2.4.11-3.4mdvmes5.2.x86_64.rpm 2805cdd7f4b21269cbb7867492022743 mes5/x86_64/openldap-2.4.11-3.4mdvmes5.2.x86_64.rpm fd58b85bd63050c9e92947cda1e9c7ca mes5/x86_64/openldap-clients-2.4.11-3.4mdvmes5.2.x86_64.rpm f4f917d985b61cf253ef64d5b488ae55 mes5/x86_64/openldap-doc-2.4.11-3.4mdvmes5.2.x86_64.rpm 6717e80f594124b5a453f34945cf626b mes5/x86_64/openldap-servers-2.4.11-3.4mdvmes5.2.x86_64.rpm a4533095a840c1dcb204f980555f885a mes5/x86_64/openldap-testprogs-2.4.11-3.4mdvmes5.2.x86_64.rpm abb0169c24cee8546bfa9e59d3e602e7 mes5/x86_64/openldap-tests-2.4.11-3.4mdvmes5.2.x86_64.rpm b9bced393f520051e28a489c6d8ff9ab mes5/SRPMS/openldap-2.4.11-3.4mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNkv3xmqjQ0CJFipgRAqQSAKCc3vPvJODiYO5xcI5stKqfUAsbAQCeJSyY d2dZNLuNg8Fe8uz62O13Pfk= =/zxu -----END PGP SIGNATURE-----