Security update for openldap2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:14419-1 Final 1 1 2020-07-06T15:04:50Z current 2020-07-06T15:04:50Z 2020-07-06T15:04:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openldap2 This update for openldap2 fixes the following issues: - CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). secsp3-openldap2-14419,sleposp3-openldap2-14419,slessp4-openldap2-14419 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-202014419-1/ Link for SUSE-SU-2020:14419-1 https://lists.suse.com/pipermail/sle-security-updates/2020-July/007083.html E-Mail link for SUSE-SU-2020:14419-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1172698 SUSE Bug 1172698 https://www.suse.com/security/cve/CVE-2020-8023/ SUSE CVE CVE-2020-8023 page SUSE Linux Enterprise Point of Sale 11 SP3 SUSE Linux Enterprise Server 11 SP4-LTSS SUSE Linux Enterprise Server 11-SECURITY libldap-openssl1-2_4-2-2.4.26-0.74.13.1 libldap-openssl1-2_4-2-32bit-2.4.26-0.74.13.1 libldap-openssl1-2_4-2-x86-2.4.26-0.74.13.1 openldap2-client-openssl1-2.4.26-0.74.13.1 openldap2-openssl1-2.4.26-0.74.13.1 compat-libldap-2_3-0-2.3.37-2.74.13.1 libldap-2_4-2-2.4.26-0.74.13.1 openldap2-2.4.26-0.74.13.1 openldap2-back-meta-2.4.26-0.74.13.1 openldap2-client-2.4.26-0.74.13.1 libldap-2_4-2-32bit-2.4.26-0.74.13.1 compat-libldap-2_3-0-2.3.37-2.74.13.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 libldap-2_4-2-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 openldap2-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 openldap2-back-meta-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 openldap2-client-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 compat-libldap-2_3-0-2.3.37-2.74.13.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS libldap-2_4-2-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS libldap-2_4-2-32bit-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS openldap2-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS openldap2-back-meta-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS openldap2-client-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS libldap-openssl1-2_4-2-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Server 11-SECURITY libldap-openssl1-2_4-2-32bit-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Server 11-SECURITY libldap-openssl1-2_4-2-x86-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Server 11-SECURITY openldap2-client-openssl1-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Server 11-SECURITY openldap2-openssl1-2.4.26-0.74.13.1 as a component of SUSE Linux Enterprise Server 11-SECURITY A acceptance of Extraneous Untrusted Data With Trusted Data vulnerability in the start script of openldap2 of SUSE Enterprise Storage 5, SUSE Linux Enterprise Debuginfo 11-SP3, SUSE Linux Enterprise Debuginfo 11-SP4, SUSE Linux Enterprise Point of Sale 11-SP3, SUSE Linux Enterprise Server 11-SECURITY, SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8; openSUSE Leap 15.1, openSUSE Leap 15.2 allows local attackers to escalate privileges from user ldap to root. This issue affects: SUSE Enterprise Storage 5 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Debuginfo 11-SP3 openldap2 versions prior to 2.4.26-0.74.13.1,. SUSE Linux Enterprise Debuginfo 11-SP4 openldap2 versions prior to 2.4.26-0.74.13.1,. SUSE Linux Enterprise Point of Sale 11-SP3 openldap2 versions prior to 2.4.26-0.74.13.1,. SUSE Linux Enterprise Server 11-SECURITY openldap2-client-openssl1 versions prior to 2.4.26-0.74.13.1. SUSE Linux Enterprise Server 11-SP4-LTSS openldap2 versions prior to 2.4.26-0.74.13.1,. SUSE Linux Enterprise Server 12-SP2-BCL openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP2-LTSS openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP3-BCL openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP3-LTSS openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP4 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP5 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 15-LTSS openldap2 versions prior to 2.4.46-9.31.1. SUSE Linux Enterprise Server for SAP 12-SP2 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server for SAP 12-SP3 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server for SAP 15 openldap2 versions prior to 2.4.46-9.31.1. SUSE OpenStack Cloud 7 openldap2 versions prior to 2.4.41-18.71.2. SUSE OpenStack Cloud 8 openldap2 versions prior to 2.4.41-18.71.2. SUSE OpenStack Cloud Crowbar 8 openldap2 versions prior to 2.4.41-18.71.2. openSUSE Leap 15.1 openldap2 versions prior to 2.4.46-lp151.10.12.1. openSUSE Leap 15.2 openldap2 versions prior to 2.4.46-lp152.14.3.1. CVE-2020-8023 SUSE Linux Enterprise Point of Sale 11 SP3:compat-libldap-2_3-0-2.3.37-2.74.13.1 SUSE Linux Enterprise Point of Sale 11 SP3:libldap-2_4-2-2.4.26-0.74.13.1 SUSE Linux Enterprise Point of Sale 11 SP3:openldap2-2.4.26-0.74.13.1 SUSE Linux Enterprise Point of Sale 11 SP3:openldap2-back-meta-2.4.26-0.74.13.1 SUSE Linux Enterprise Point of Sale 11 SP3:openldap2-client-2.4.26-0.74.13.1 SUSE Linux Enterprise Server 11 SP4-LTSS:compat-libldap-2_3-0-2.3.37-2.74.13.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libldap-2_4-2-2.4.26-0.74.13.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libldap-2_4-2-32bit-2.4.26-0.74.13.1 SUSE Linux Enterprise Server 11 SP4-LTSS:openldap2-2.4.26-0.74.13.1 SUSE Linux Enterprise Server 11 SP4-LTSS:openldap2-back-meta-2.4.26-0.74.13.1 SUSE Linux Enterprise Server 11 SP4-LTSS:openldap2-client-2.4.26-0.74.13.1 SUSE Linux Enterprise Server 11-SECURITY:libldap-openssl1-2_4-2-2.4.26-0.74.13.1 SUSE Linux Enterprise Server 11-SECURITY:libldap-openssl1-2_4-2-32bit-2.4.26-0.74.13.1 SUSE Linux Enterprise Server 11-SECURITY:libldap-openssl1-2_4-2-x86-2.4.26-0.74.13.1 SUSE Linux Enterprise Server 11-SECURITY:openldap2-client-openssl1-2.4.26-0.74.13.1 SUSE Linux Enterprise Server 11-SECURITY:openldap2-openssl1-2.4.26-0.74.13.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-202014419-1/ https://www.suse.com/security/cve/CVE-2020-8023.html CVE-2020-8023 https://bugzilla.suse.com/1172698 SUSE Bug 1172698 https://bugzilla.suse.com/1190347 SUSE Bug 1190347