Debian Security Advisory

DSA-4884-1 ldb -- security update

Date Reported:
02 Apr 2021
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 985935, Bug 985936.
In Mitre's CVE dictionary: CVE-2020-10730, CVE-2020-27840, CVE-2021-20277.
More information:

Multiple vulnerabilities have been discovered in ldb, a LDAP-like embedded database built on top of TDB.

  • CVE-2020-10730

    Andrew Bartlett discovered a NULL pointer dereference and use-after-free flaw when handling ASQ and VLV LDAP controls and combinations with the LDAP paged_results feature.

  • CVE-2020-27840

    Douglas Bagnall discovered a heap corruption flaw via crafted DN strings.

  • CVE-2021-20277

    Douglas Bagnall discovered an out-of-bounds read vulnerability in handling LDAP attributes that contains multiple consecutive leading spaces.

For the stable distribution (buster), these problems have been fixed in version 2:1.5.1+really1.4.6-3+deb10u1.

We recommend that you upgrade your ldb packages.

For the detailed security status of ldb please refer to its security tracker page at: