Debian Security Advisory

DSA-068-1 openldap -- remote DoS

Date Reported:
09 Aug 2001
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 3049.
In Mitre's CVE dictionary: CVE-2001-0977.
CERT's vulnerabilities, advisories and incident notes: CA-2001-18.
More information:
The CERT advisory lists a number of vulnerabilities in various LDAP implementations, based on the results of the PROTOS LDAPv3 test suite. These tests found one problem in OpenLDAP, a free LDAP implementation which is shipped as part of Debian GNU/Linux 2.2.

The problem is that slapd did not handle packets which had BER fields of invalid length and would crash if it received them. An attacker could use this to mount a remote denial of service attack.

This problem has been fixed in version 1.2.12-1, and we recommend that you upgrade your slapd package immediately.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Architecture-independent component:
Intel IA-32:
Motorola 680x0:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.