Security update for openldap2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:0931-1 Final 1 1 2019-04-11T09:11:33Z current 2019-04-11T09:11:33Z 2019-04-11T09:11:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openldap2 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764). - CVE-2017-17740: Fixed a denial of service (slapd crash) via a member MODDN operation that could have been triggered when both the nops module and the memberof overlay are enabled (bsc#1073313). Non-security issues fixed: - Fix a regression in handling of non-blocking connections (bsc#1031702) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix libldap leaks socket descriptors issue (bsc#1065083) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-931,SUSE-SLE-Module-Legacy-12-2019-931,SUSE-SLE-SAP-12-2019-931,SUSE-SLE-SAP-12-SP1-2019-931,SUSE-SLE-SAP-12-SP2-2019-931,SUSE-SLE-SAP-12-SP3-2019-931,SUSE-SLE-SAP-12-SP4-2019-931,SUSE-SLE-SERVER-12-2019-931,SUSE-SLE-SERVER-12-SP1-2019-931 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20190931-1/ Link for SUSE-SU-2019:0931-1 https://lists.suse.com/pipermail/sle-security-updates/2019-April/005325.html E-Mail link for SUSE-SU-2019:0931-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1031702 SUSE Bug 1031702 https://bugzilla.suse.com/1037396 SUSE Bug 1037396 https://bugzilla.suse.com/1041764 SUSE Bug 1041764 https://bugzilla.suse.com/1065083 SUSE Bug 1065083 https://bugzilla.suse.com/1073313 SUSE Bug 1073313 https://www.suse.com/security/cve/CVE-2017-17740/ SUSE CVE CVE-2017-17740 page https://www.suse.com/security/cve/CVE-2017-9287/ SUSE CVE CVE-2017-9287 page SUSE Linux Enterprise Module for Legacy 12 SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 compat-libldap-2_3-0-2.3.37-18.24.9.7 libldap-2_4-2-2.4.41-18.24.9.1 libldap-2_4-2-32bit-2.4.41-18.24.9.1 libldap-2_4-2-64bit-2.4.41-18.24.9.1 openldap2-2.4.41-18.24.9.7 openldap2-back-meta-2.4.41-18.24.9.7 openldap2-back-perl-2.4.41-18.24.9.7 openldap2-back-sql-2.4.41-18.24.9.7 openldap2-client-2.4.41-18.24.9.1 openldap2-devel-2.4.41-18.24.9.1 openldap2-devel-32bit-2.4.41-18.24.9.1 openldap2-devel-64bit-2.4.41-18.24.9.1 openldap2-devel-static-2.4.41-18.24.9.1 openldap2-doc-2.4.41-18.24.9.7 compat-libldap-2_3-0-2.3.37-18.24.9.7 as a component of SUSE Linux Enterprise Module for Legacy 12 libldap-2_4-2-2.4.41-18.24.9.1 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS libldap-2_4-2-32bit-2.4.41-18.24.9.1 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS openldap2-2.4.41-18.24.9.7 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS openldap2-back-meta-2.4.41-18.24.9.7 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS openldap2-client-2.4.41-18.24.9.1 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS libldap-2_4-2-2.4.41-18.24.9.1 as a component of SUSE Linux Enterprise Server 12-LTSS libldap-2_4-2-32bit-2.4.41-18.24.9.1 as a component of SUSE Linux Enterprise Server 12-LTSS openldap2-2.4.41-18.24.9.7 as a component of SUSE Linux Enterprise Server 12-LTSS openldap2-back-meta-2.4.41-18.24.9.7 as a component of SUSE Linux Enterprise Server 12-LTSS openldap2-client-2.4.41-18.24.9.1 as a component of SUSE Linux Enterprise Server 12-LTSS compat-libldap-2_3-0-2.3.37-18.24.9.7 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libldap-2_4-2-2.4.41-18.24.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 libldap-2_4-2-32bit-2.4.41-18.24.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 openldap2-2.4.41-18.24.9.7 as a component of SUSE Linux Enterprise Server for SAP Applications 12 openldap2-back-meta-2.4.41-18.24.9.7 as a component of SUSE Linux Enterprise Server for SAP Applications 12 openldap2-client-2.4.41-18.24.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 compat-libldap-2_3-0-2.3.37-18.24.9.7 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libldap-2_4-2-2.4.41-18.24.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libldap-2_4-2-32bit-2.4.41-18.24.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 openldap2-2.4.41-18.24.9.7 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 openldap2-back-meta-2.4.41-18.24.9.7 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 openldap2-client-2.4.41-18.24.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 compat-libldap-2_3-0-2.3.37-18.24.9.7 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 compat-libldap-2_3-0-2.3.37-18.24.9.7 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 compat-libldap-2_3-0-2.3.37-18.24.9.7 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. CVE-2017-17740 SUSE Linux Enterprise Module for Legacy 12:compat-libldap-2_3-0-2.3.37-18.24.9.7 SUSE Linux Enterprise Server 12 SP1-LTSS:libldap-2_4-2-2.4.41-18.24.9.1 SUSE Linux Enterprise Server 12 SP1-LTSS:libldap-2_4-2-32bit-2.4.41-18.24.9.1 SUSE Linux Enterprise Server 12 SP1-LTSS:openldap2-2.4.41-18.24.9.7 SUSE Linux Enterprise Server 12 SP1-LTSS:openldap2-back-meta-2.4.41-18.24.9.7 SUSE Linux Enterprise Server 12 SP1-LTSS:openldap2-client-2.4.41-18.24.9.1 SUSE Linux Enterprise Server 12-LTSS:libldap-2_4-2-2.4.41-18.24.9.1 SUSE Linux Enterprise Server 12-LTSS:libldap-2_4-2-32bit-2.4.41-18.24.9.1 SUSE Linux Enterprise Server 12-LTSS:openldap2-2.4.41-18.24.9.7 SUSE Linux Enterprise Server 12-LTSS:openldap2-back-meta-2.4.41-18.24.9.7 SUSE Linux Enterprise Server 12-LTSS:openldap2-client-2.4.41-18.24.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:compat-libldap-2_3-0-2.3.37-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libldap-2_4-2-2.4.41-18.24.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libldap-2_4-2-32bit-2.4.41-18.24.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:openldap2-2.4.41-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12 SP1:openldap2-back-meta-2.4.41-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12 SP1:openldap2-client-2.4.41-18.24.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:compat-libldap-2_3-0-2.3.37-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12 SP3:compat-libldap-2_3-0-2.3.37-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12 SP4:compat-libldap-2_3-0-2.3.37-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12:compat-libldap-2_3-0-2.3.37-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12:libldap-2_4-2-2.4.41-18.24.9.1 SUSE Linux Enterprise Server for SAP Applications 12:libldap-2_4-2-32bit-2.4.41-18.24.9.1 SUSE Linux Enterprise Server for SAP Applications 12:openldap2-2.4.41-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12:openldap2-back-meta-2.4.41-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12:openldap2-client-2.4.41-18.24.9.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190931-1/ https://www.suse.com/security/cve/CVE-2017-17740.html CVE-2017-17740 https://bugzilla.suse.com/1073313 SUSE Bug 1073313 servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0. CVE-2017-9287 SUSE Linux Enterprise Module for Legacy 12:compat-libldap-2_3-0-2.3.37-18.24.9.7 SUSE Linux Enterprise Server 12 SP1-LTSS:libldap-2_4-2-2.4.41-18.24.9.1 SUSE Linux Enterprise Server 12 SP1-LTSS:libldap-2_4-2-32bit-2.4.41-18.24.9.1 SUSE Linux Enterprise Server 12 SP1-LTSS:openldap2-2.4.41-18.24.9.7 SUSE Linux Enterprise Server 12 SP1-LTSS:openldap2-back-meta-2.4.41-18.24.9.7 SUSE Linux Enterprise Server 12 SP1-LTSS:openldap2-client-2.4.41-18.24.9.1 SUSE Linux Enterprise Server 12-LTSS:libldap-2_4-2-2.4.41-18.24.9.1 SUSE Linux Enterprise Server 12-LTSS:libldap-2_4-2-32bit-2.4.41-18.24.9.1 SUSE Linux Enterprise Server 12-LTSS:openldap2-2.4.41-18.24.9.7 SUSE Linux Enterprise Server 12-LTSS:openldap2-back-meta-2.4.41-18.24.9.7 SUSE Linux Enterprise Server 12-LTSS:openldap2-client-2.4.41-18.24.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:compat-libldap-2_3-0-2.3.37-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libldap-2_4-2-2.4.41-18.24.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libldap-2_4-2-32bit-2.4.41-18.24.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:openldap2-2.4.41-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12 SP1:openldap2-back-meta-2.4.41-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12 SP1:openldap2-client-2.4.41-18.24.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:compat-libldap-2_3-0-2.3.37-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12 SP3:compat-libldap-2_3-0-2.3.37-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12 SP4:compat-libldap-2_3-0-2.3.37-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12:compat-libldap-2_3-0-2.3.37-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12:libldap-2_4-2-2.4.41-18.24.9.1 SUSE Linux Enterprise Server for SAP Applications 12:libldap-2_4-2-32bit-2.4.41-18.24.9.1 SUSE Linux Enterprise Server for SAP Applications 12:openldap2-2.4.41-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12:openldap2-back-meta-2.4.41-18.24.9.7 SUSE Linux Enterprise Server for SAP Applications 12:openldap2-client-2.4.41-18.24.9.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190931-1/ https://www.suse.com/security/cve/CVE-2017-9287.html CVE-2017-9287 https://bugzilla.suse.com/1041764 SUSE Bug 1041764