Security update for openldap2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2015:1077-1 Final 1 1 2015-05-18T08:42:31Z current 2015-05-18T08:42:31Z 2015-05-18T08:42:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openldap2 openldap2 was updated to fix two security issues and one non-security bug. The following vulnerabilities were fixed: * A remote attacker could cause a denial of service through a NULL pointer dereference and crash via an empty attribute list in a deref control in a search request. (bnc#916897 CVE-2015-1545) * A remote attacker could cause a denial of service (crash) via a crafted search query with a matched values control. (bnc#916914 CVE-2015-1546) The following non-security issue was fixed: * Prevent connection-0 (internal connection) from showing up in the monitor backend (bnc#905959) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-2015-273,SUSE-SLE-Module-Legacy-12-2015-273,SUSE-SLE-SAP-12-2015-273,SUSE-SLE-SDK-12-2015-273,SUSE-SLE-SERVER-12-2015-273 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2015/suse-su-20151077-1/ Link for SUSE-SU-2015:1077-1 https://lists.suse.com/pipermail/sle-security-updates/2015-June/001443.html E-Mail link for SUSE-SU-2015:1077-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/905959 SUSE Bug 905959 https://bugzilla.suse.com/916897 SUSE Bug 916897 https://bugzilla.suse.com/916914 SUSE Bug 916914 https://www.suse.com/security/cve/CVE-2015-1545/ SUSE CVE CVE-2015-1545 page https://www.suse.com/security/cve/CVE-2015-1546/ SUSE CVE CVE-2015-1546 page SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Module for Legacy 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Software Development Kit 12 libldap-2_4-2-2.4.39-16.1 libldap-2_4-2-32bit-2.4.39-16.1 openldap2-client-2.4.39-16.1 compat-libldap-2_3-0-2.3.37-16.1 openldap2-back-perl-2.4.39-16.1 openldap2-devel-2.4.39-16.1 openldap2-devel-static-2.4.39-16.1 openldap2-2.4.39-16.1 openldap2-back-meta-2.4.39-16.1 libldap-2_4-2-2.4.39-16.1 as a component of SUSE Linux Enterprise Desktop 12 libldap-2_4-2-32bit-2.4.39-16.1 as a component of SUSE Linux Enterprise Desktop 12 openldap2-client-2.4.39-16.1 as a component of SUSE Linux Enterprise Desktop 12 compat-libldap-2_3-0-2.3.37-16.1 as a component of SUSE Linux Enterprise Module for Legacy 12 libldap-2_4-2-2.4.39-16.1 as a component of SUSE Linux Enterprise Server 12 libldap-2_4-2-32bit-2.4.39-16.1 as a component of SUSE Linux Enterprise Server 12 openldap2-2.4.39-16.1 as a component of SUSE Linux Enterprise Server 12 openldap2-back-meta-2.4.39-16.1 as a component of SUSE Linux Enterprise Server 12 openldap2-client-2.4.39-16.1 as a component of SUSE Linux Enterprise Server 12 compat-libldap-2_3-0-2.3.37-16.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libldap-2_4-2-2.4.39-16.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libldap-2_4-2-32bit-2.4.39-16.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 openldap2-2.4.39-16.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 openldap2-back-meta-2.4.39-16.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 openldap2-client-2.4.39-16.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 openldap2-back-perl-2.4.39-16.1 as a component of SUSE Linux Enterprise Software Development Kit 12 openldap2-devel-2.4.39-16.1 as a component of SUSE Linux Enterprise Software Development Kit 12 openldap2-devel-static-2.4.39-16.1 as a component of SUSE Linux Enterprise Software Development Kit 12 The deref_parseCtrl function in servers/slapd/overlays/deref.c in OpenLDAP 2.4.13 through 2.4.40 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an empty attribute list in a deref control in a search request. CVE-2015-1545 SUSE Linux Enterprise Desktop 12:libldap-2_4-2-2.4.39-16.1 SUSE Linux Enterprise Desktop 12:libldap-2_4-2-32bit-2.4.39-16.1 SUSE Linux Enterprise Desktop 12:openldap2-client-2.4.39-16.1 SUSE Linux Enterprise Module for Legacy 12:compat-libldap-2_3-0-2.3.37-16.1 SUSE Linux Enterprise Server 12:libldap-2_4-2-2.4.39-16.1 SUSE Linux Enterprise Server 12:libldap-2_4-2-32bit-2.4.39-16.1 SUSE Linux Enterprise Server 12:openldap2-2.4.39-16.1 SUSE Linux Enterprise Server 12:openldap2-back-meta-2.4.39-16.1 SUSE Linux Enterprise Server 12:openldap2-client-2.4.39-16.1 SUSE Linux Enterprise Server for SAP Applications 12:compat-libldap-2_3-0-2.3.37-16.1 SUSE Linux Enterprise Server for SAP Applications 12:libldap-2_4-2-2.4.39-16.1 SUSE Linux Enterprise Server for SAP Applications 12:libldap-2_4-2-32bit-2.4.39-16.1 SUSE Linux Enterprise Server for SAP Applications 12:openldap2-2.4.39-16.1 SUSE Linux Enterprise Server for SAP Applications 12:openldap2-back-meta-2.4.39-16.1 SUSE Linux Enterprise Server for SAP Applications 12:openldap2-client-2.4.39-16.1 SUSE Linux Enterprise Software Development Kit 12:openldap2-back-perl-2.4.39-16.1 SUSE Linux Enterprise Software Development Kit 12:openldap2-devel-2.4.39-16.1 SUSE Linux Enterprise Software Development Kit 12:openldap2-devel-static-2.4.39-16.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20151077-1/ https://www.suse.com/security/cve/CVE-2015-1545.html CVE-2015-1545 https://bugzilla.suse.com/846389 SUSE Bug 846389 https://bugzilla.suse.com/916897 SUSE Bug 916897 https://bugzilla.suse.com/916914 SUSE Bug 916914 Double free vulnerability in the get_vrFilter function in servers/slapd/filter.c in OpenLDAP 2.4.40 allows remote attackers to cause a denial of service (crash) via a crafted search query with a matched values control. CVE-2015-1546 SUSE Linux Enterprise Desktop 12:libldap-2_4-2-2.4.39-16.1 SUSE Linux Enterprise Desktop 12:libldap-2_4-2-32bit-2.4.39-16.1 SUSE Linux Enterprise Desktop 12:openldap2-client-2.4.39-16.1 SUSE Linux Enterprise Module for Legacy 12:compat-libldap-2_3-0-2.3.37-16.1 SUSE Linux Enterprise Server 12:libldap-2_4-2-2.4.39-16.1 SUSE Linux Enterprise Server 12:libldap-2_4-2-32bit-2.4.39-16.1 SUSE Linux Enterprise Server 12:openldap2-2.4.39-16.1 SUSE Linux Enterprise Server 12:openldap2-back-meta-2.4.39-16.1 SUSE Linux Enterprise Server 12:openldap2-client-2.4.39-16.1 SUSE Linux Enterprise Server for SAP Applications 12:compat-libldap-2_3-0-2.3.37-16.1 SUSE Linux Enterprise Server for SAP Applications 12:libldap-2_4-2-2.4.39-16.1 SUSE Linux Enterprise Server for SAP Applications 12:libldap-2_4-2-32bit-2.4.39-16.1 SUSE Linux Enterprise Server for SAP Applications 12:openldap2-2.4.39-16.1 SUSE Linux Enterprise Server for SAP Applications 12:openldap2-back-meta-2.4.39-16.1 SUSE Linux Enterprise Server for SAP Applications 12:openldap2-client-2.4.39-16.1 SUSE Linux Enterprise Software Development Kit 12:openldap2-back-perl-2.4.39-16.1 SUSE Linux Enterprise Software Development Kit 12:openldap2-devel-2.4.39-16.1 SUSE Linux Enterprise Software Development Kit 12:openldap2-devel-static-2.4.39-16.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20151077-1/ https://www.suse.com/security/cve/CVE-2015-1546.html CVE-2015-1546 https://bugzilla.suse.com/916914 SUSE Bug 916914