Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Discontinued :: cs2001-0.txt

OpenLDAP attribute deletion problem - Caldera Advisory CSSA-2002-001.0




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
                   Caldera International, Inc.  Security Advisory

Subject:                Linux - OpenLDAP attribute deletion problem
Advisory number:        CSSA-2002-001.0
Issue date:             2002, January 16
Cross reference:
______________________________________________________________________________


1. Problem Description

   Recently a security flaw was discovered in OpenLDAP 2.0.19 slapd(8)
   regarding application of access controls upon modify operations issued
   by authenticated users. Specifically, slapd(8) did not disallow a
   replace with no values from deleting the attribute which was protected
   by ACLs (if such was allowed by checked schema rules). That is, this
   flaw allowed any authenticated user to delete any non-mandatory
   attribute of an object. In 2.0 versions prior to 2.0.8, this flaw is
   NOT restricted to authenticated users (that is, anonymous users can
   abuse the flaw as well).


2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3                 not vulnerable                
   
   OpenLinux eServer 2.3.1       All packages previous to      
   and OpenLinux eBuilder        openldap-2.0.11-11S           
   
   OpenLinux eDesktop 2.4        not vulnerable                
   
   OpenLinux Server 3.1          All packages previous to      
                                 openldap-2.0.11-11            
   
   OpenLinux Workstation 3.1     All packages previous to      
                                 openldap-2.0.11-11            
   
   OpenLinux 3.1 IA64            All packages previous to      
                                 openldap-2.0.11-11            
   
   OpenLinux Server 3.1.1        All packages previous to      
                                 openldap-2.0.11-11            
   
   OpenLinux Workstation         All packages previous to      
   3.1.1                         openldap-2.0.11-11            
   


3. Solution

   Workaround

     none

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

    not vulnerable

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

    5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       b333cf77ecde92a6c3b6e4c313361e09  RPMS/openldap-2.0.11-11S.i386.rpm
       360db3b5a0f9d0321b00ff0f87b82597  RPMS/openldap-devel-2.0.11-11S.i386.rpm
       998057cac63c831a98cdf95aa3836618  SRPMS/openldap-2.0.11-11S.src.rpm
       

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openldap-2.0.11-11S.i386.rpm \
              openldap-devel-2.0.11-11S.i386.rpm
         
         ! test -f /var/lock/subsys/ldap || /etc/rc.d/init.d/ldap restart

6. OpenLinux eDesktop 2.4

    not vulnerable

7. OpenLinux 3.1 Server

    7.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

   7.2 Verification

       9f26a9aeece05e9b105ad91dc7a42e81  RPMS/openldap-2.0.11-11.i386.rpm
       c9d647ce4c4e32504f8e4dc591abf913  RPMS/openldap-devel-2.0.11-11.i386.rpm
       9c711fcadd57f4438804f28f9f093ff1  SRPMS/openldap-2.0.11-11.src.rpm
       

   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openldap-2.0.11-11.i386.rpm \
              openldap-devel-2.0.11-11.i386.rpm
         
         ! test -f /var/lock/subsys/ldap || /etc/rc.d/init.d/ldap restart

8. OpenLinux 3.1 Workstation

    8.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

   8.2 Verification

       9f26a9aeece05e9b105ad91dc7a42e81  RPMS/openldap-2.0.11-11.i386.rpm
       c9d647ce4c4e32504f8e4dc591abf913  RPMS/openldap-devel-2.0.11-11.i386.rpm
       9c711fcadd57f4438804f28f9f093ff1  SRPMS/openldap-2.0.11-11.src.rpm
       

   8.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openldap-2.0.11-11.i386.rpm \
              openldap-devel-2.0.11-11.i386.rpm
         
         ! test -f /var/lock/subsys/ldap || /etc/rc.d/init.d/ldap restart

9. OpenLinux 3.1 IA64

    9.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/IA64/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/IA64/current/SRPMS

   9.2 Verification

       8930f4659c778991f12e2321db0c15f1  RPMS/openldap-2.0.11-11.ia64.rpm
       40057a2bc591a7ea7b3fbd9f30a38ffb  RPMS/openldap-devel-2.0.11-11.ia64.rpm
       9c711fcadd57f4438804f28f9f093ff1  SRPMS/openldap-2.0.11-11.src.rpm
       

   9.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openldap-2.0.11-11.ia64.rpm \
              openldap-devel-2.0.11-11.ia64.rpm
         
         ! test -f /var/lock/subsys/ldap || /etc/rc.d/init.d/ldap restart

10. OpenLinux 3.1.1 Server

    10.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

   10.2 Verification

       6063e436317e63de7d7dfd1d6ab11e47  RPMS/openldap-2.0.11-11.i386.rpm
       886b4f5106c4fd116a1e8a5a51a90f53  RPMS/openldap-devel-2.0.11-11.i386.rpm
       9c711fcadd57f4438804f28f9f093ff1  SRPMS/openldap-2.0.11-11.src.rpm
       

   10.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openldap-2.0.11-11.i386.rpm \
              openldap-devel-2.0.11-11.i386.rpm
         
         ! test -f /var/lock/subsys/ldap || /etc/rc.d/init.d/ldap restart

11. OpenLinux 3.1.1 Workstation

    11.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

   11.2 Verification

       6063e436317e63de7d7dfd1d6ab11e47  RPMS/openldap-2.0.11-11.i386.rpm
       886b4f5106c4fd116a1e8a5a51a90f53  RPMS/openldap-devel-2.0.11-11.i386.rpm
       9c711fcadd57f4438804f28f9f093ff1  SRPMS/openldap-2.0.11-11.src.rpm
       

   11.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh openldap-2.0.11-11.i386.rpm \
              openldap-devel-2.0.11-11.i386.rpm
         
         ! test -f /var/lock/subsys/ldap || /etc/rc.d/init.d/ldap restart


12. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 11338.


13. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera OpenLinux.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8X8EE18sy83A/qfwRAr7jAJ9dtpcF8hvPHDNzopWX675pPCtcHQCfRz5b
nCzfU+dsuToQJzm/TpZpgMQ=
=g4rm
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH