SB2015091407 - Input validation error in openldap (Alpine package)
Published: September 14, 2015
Security Bulletin ID
SB2015091407
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2015-6908)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The ber_get_next function in libraries/liblber/io.c in OpenLDAP 2.4.42 and earlier allows remote attackers to cause a denial of service (reachable assertion and application crash) via crafted BER data, as demonstrated by an attack against slapd.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=9182b4452fd0f61c5cf3d6d43e31fc17ac2f9b1a
- https://git.alpinelinux.org/aports/commit/?id=0c87e4a76b392a481552008dcdd888026a2e307c
- https://git.alpinelinux.org/aports/commit/?id=155c547ee993aa64508638867875b2cbe79b1491
- https://git.alpinelinux.org/aports/commit/?id=38f99bbb5423bbd53311287136f971848c5f831d
- https://git.alpinelinux.org/aports/commit/?id=583a384a166961fb9dc95021c7f5f7b5d10e8910