Security update for openldap2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:1567-1 Final 1 1 2017-06-14T14:33:22Z current 2017-06-14T14:33:22Z 2017-06-14T14:33:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openldap2 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-962,SUSE-SLE-DESKTOP-12-SP2-2017-962,SUSE-SLE-RPI-12-SP2-2017-962,SUSE-SLE-SDK-12-SP2-2017-962,SUSE-SLE-SERVER-12-SP2-2017-962 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20171567-1/ Link for SUSE-SU-2017:1567-1 https://lists.suse.com/pipermail/sle-security-updates/2017-June/002942.html E-Mail link for SUSE-SU-2017:1567-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1009470 SUSE Bug 1009470 https://bugzilla.suse.com/1037396 SUSE Bug 1037396 https://bugzilla.suse.com/1041764 SUSE Bug 1041764 https://bugzilla.suse.com/972331 SUSE Bug 972331 https://www.suse.com/security/cve/CVE-2017-9287/ SUSE CVE CVE-2017-9287 page SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Software Development Kit 12 SP2 libldap-2_4-2-2.4.41-18.29.1 libldap-2_4-2-32bit-2.4.41-18.29.1 openldap2-client-2.4.41-18.29.1 openldap2-2.4.41-18.29.1 openldap2-back-meta-2.4.41-18.29.1 openldap2-back-perl-2.4.41-18.29.1 openldap2-devel-2.4.41-18.29.1 openldap2-devel-static-2.4.41-18.29.1 libldap-2_4-2-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 libldap-2_4-2-32bit-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 openldap2-client-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 libldap-2_4-2-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server 12 SP2 libldap-2_4-2-32bit-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server 12 SP2 openldap2-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server 12 SP2 openldap2-back-meta-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server 12 SP2 openldap2-client-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server 12 SP2 libldap-2_4-2-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 openldap2-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 openldap2-back-meta-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 openldap2-client-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 libldap-2_4-2-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 libldap-2_4-2-32bit-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 openldap2-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 openldap2-back-meta-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 openldap2-client-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 openldap2-back-perl-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 openldap2-devel-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 openldap2-devel-static-2.4.41-18.29.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0. CVE-2017-9287 SUSE Linux Enterprise Desktop 12 SP2:libldap-2_4-2-2.4.41-18.29.1 SUSE Linux Enterprise Desktop 12 SP2:libldap-2_4-2-32bit-2.4.41-18.29.1 SUSE Linux Enterprise Desktop 12 SP2:openldap2-client-2.4.41-18.29.1 SUSE Linux Enterprise Server 12 SP2:libldap-2_4-2-2.4.41-18.29.1 SUSE Linux Enterprise Server 12 SP2:libldap-2_4-2-32bit-2.4.41-18.29.1 SUSE Linux Enterprise Server 12 SP2:openldap2-2.4.41-18.29.1 SUSE Linux Enterprise Server 12 SP2:openldap2-back-meta-2.4.41-18.29.1 SUSE Linux Enterprise Server 12 SP2:openldap2-client-2.4.41-18.29.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libldap-2_4-2-2.4.41-18.29.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:openldap2-2.4.41-18.29.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:openldap2-back-meta-2.4.41-18.29.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:openldap2-client-2.4.41-18.29.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libldap-2_4-2-2.4.41-18.29.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libldap-2_4-2-32bit-2.4.41-18.29.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:openldap2-2.4.41-18.29.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:openldap2-back-meta-2.4.41-18.29.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:openldap2-client-2.4.41-18.29.1 SUSE Linux Enterprise Software Development Kit 12 SP2:openldap2-back-perl-2.4.41-18.29.1 SUSE Linux Enterprise Software Development Kit 12 SP2:openldap2-devel-2.4.41-18.29.1 SUSE Linux Enterprise Software Development Kit 12 SP2:openldap2-devel-static-2.4.41-18.29.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171567-1/ https://www.suse.com/security/cve/CVE-2017-9287.html CVE-2017-9287 https://bugzilla.suse.com/1041764 SUSE Bug 1041764