Security update for openldap2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:1685-1 Final 1 1 2022-05-16T11:55:09Z current 2022-05-16T11:55:09Z 2022-05-16T11:55:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openldap2 This update for openldap2 fixes the following issues: - CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-1685,SUSE-SLE-Module-Legacy-12-2022-1685,SUSE-SLE-SAP-12-SP3-2022-1685,SUSE-SLE-SAP-12-SP4-2022-1685,SUSE-SLE-SAP-12-SP5-2022-1685 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20221685-1/ Link for SUSE-SU-2022:1685-1 https://lists.suse.com/pipermail/sle-security-updates/2022-May/011032.html E-Mail link for SUSE-SU-2022:1685-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1199240 SUSE Bug 1199240 https://www.suse.com/security/cve/CVE-2022-29155/ SUSE CVE CVE-2022-29155 page SUSE Linux Enterprise Module for Legacy 12 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 compat-libldap-2_3-0-2.3.37-42.1 openldap2-2.4.41-42.1 openldap2-back-meta-2.4.41-42.1 openldap2-back-perl-2.4.41-42.1 openldap2-back-sql-2.4.41-42.1 openldap2-doc-2.4.41-42.1 compat-libldap-2_3-0-2.3.37-42.1 as a component of SUSE Linux Enterprise Module for Legacy 12 compat-libldap-2_3-0-2.3.37-42.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 compat-libldap-2_3-0-2.3.37-42.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 compat-libldap-2_3-0-2.3.37-42.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping. CVE-2022-29155 SUSE Linux Enterprise Module for Legacy 12:compat-libldap-2_3-0-2.3.37-42.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:compat-libldap-2_3-0-2.3.37-42.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:compat-libldap-2_3-0-2.3.37-42.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:compat-libldap-2_3-0-2.3.37-42.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20221685-1/ https://www.suse.com/security/cve/CVE-2022-29155.html CVE-2022-29155 https://bugzilla.suse.com/1199240 SUSE Bug 1199240 https://bugzilla.suse.com/1202818 SUSE Bug 1202818 https://bugzilla.suse.com/1204120 SUSE Bug 1204120 https://bugzilla.suse.com/1207513 SUSE Bug 1207513 https://bugzilla.suse.com/1208312 SUSE Bug 1208312 https://bugzilla.suse.com/1210149 SUSE Bug 1210149