Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#46265 - [openldap][CVE-2015-6908] Denial of Service in ber_get_next
Attached to Project:
Arch Linux
Opened by Christian Rebischke (Shibumi) - Friday, 11 September 2015, 20:20 GMT
Last edited by Sébastien Luttringer (seblu) - Saturday, 12 September 2015, 13:16 GMT
Opened by Christian Rebischke (Shibumi) - Friday, 11 September 2015, 20:20 GMT
Last edited by Sébastien Luttringer (seblu) - Saturday, 12 September 2015, 13:16 GMT
|
DetailsHello,
Version 2.4.42-1 has a denial of service vulnerability in the ber_get_next method. Please checkout my links below: Proof of Concept + Exploit: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240 Current upstream fix: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=6fe51a9ab04fd28bbc171da3cf12f1c1040d6629 greetings Christian Rebischke (Archlinux CVE-Monitoring Team) |
This task depends upon
Closed by Sébastien Luttringer (seblu)
Saturday, 12 September 2015, 13:16 GMT
Reason for closing: Fixed
Additional comments about closing: openldap-2.4.42-2
Saturday, 12 September 2015, 13:16 GMT
Reason for closing: Fixed
Additional comments about closing: openldap-2.4.42-2
[1]: Comment 7 of http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240