Openldap - Red Hat ENTERPRISE LINUX 5.5 - TECHNICAL NOTES Manual

1.141. openldap

1.141.1. RHSA-2010:0198: Moderate security and bug fix update
Updated openldap packages that fix one security issue and several bugs are now available for Red
Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A
Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is
available from the CVE link in the References section.
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and
development tools.
A flaw was found in the way OpenLDAP handled NUL characters in the CommonName field of
X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate
Authority could trick applications using OpenLDAP libraries into accepting it by mistake, allowing the
attacker to perform a man-in-the-middle attack.
This update also fixes the following bugs:
* the ldap init script did not provide a way to alter system limits for the slapd daemon. A variable is now
available in "/etc/sysconfig/ldap" for this option.
* applications that use the OpenLDAP libraries to contact a Microsoft Active Directory server could
crash when a large number of network interfaces existed. This update implements locks in the
OpenLDAP library code to resolve this issue.
* when slapd was configured to allow client certificates, approximately 90% of connections froze
because of a large CA certificate file and slapd not checking the success of the SSL handshake.
1590
(BZ#509230 )
* the OpenLDAP server would freeze for unknown reasons under high load. These packages add
support for accepting incoming connections by new threads, resolving the issue.
* the compat-openldap libraries did not list dependencies on other libraries, causing programs that did
not specifically specify the libraries to fail. Detection of the Application Binary Interface (ABI) in use on
64-bit systems has been added with this update.
* the OpenLDAP libraries caused applications to crash due to an unprocessed network timeout. A
timeval of -1 is now passed when NULL is passed to LDAP.
* slapd could crash on a server under heavy load when using rwm overlay, caused by freeing non-
allocated memory during operation cleanup.
1587
https://www.redhat.com/security/data/cve/CVE-2009-3767.html
1588
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=527313
1589
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=510522
1590
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=509230
1591
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=507276
1592
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=503734
1593
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=495701
1594
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=495628
1587
(CVE-2009-3767
1588
(BZ#527313 )
1589
(BZ#510522 )
1592
(BZ#503734 )
(BZ#495701
1594
(BZ#495628 )
)
(BZ#507276
1593
)
openldap
1591
)
191