DSA 1943-1: New openldap2.3/openldap packages fix SSL certificate verification weakness  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1943 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
December 02, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------


Packages : openldap openldap2.3
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
Debian bug : 553432
CVE ID : CVE-2009-3767

It was discovered that OpenLDAP, a free implementation of the Lightweight
Directory Access Protocol, when OpenSSL is used, does not properly handle a ''
character in a domain name in the subject's Common Name (CN) field of an X.509
certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate Certification Authority.

For the oldstable distribution (etch), this problem has been fixed in version
2.3.30-5+etch3 for openldap2.3.

For the stable distribution (lenny), this problem has been fixed in version
2.4.11-1+lenny1 for openldap.

For the testing distribution (squeeze), and the unstable distribution (sid),
this problem has been fixed in version 2.4.17-2.1 for openldap.


We recommend that you upgrade your openldap2.3/openldap packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips,
mipsel, powerpc, s390 and sparc.

Source archives:


http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz
Size/MD5 checksum: 2971126 c40bcc23fa65908b8d7a86a4a6061251

http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30-5+etch3.dsc
Size/MD5 checksum: 1214 36efc1cf2a98c54d4b1da0910e273843

http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30-5+etch3.diff.gz
Size/MD5 checksum: 315058 310ce752b78ff3227d78dcd8c1bd60a5

alpha architecture (DEC Alpha)


http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_alpha.deb
Size/MD5 checksum: 293108 2172048d5f8b8b7f379b3414fc5c2e37

http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_alpha.deb
Size/MD5 checksum: 1280772 ab65f162a40607c1787f9b03783a7563

http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_alpha.deb
Size/MD5 checksum: 193768 602a6da790648dd8b0af7d9f386b5c6e

amd64 architecture (AMD x86_64 (AMD64))


http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_amd64.deb
Size/MD5 checksum: 285554 42480b47018eb1d70b9e62d05b925a5b

http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_amd64.deb
Size/MD5 checksum: 1244570 b88256f8259516b09c51f166ff6b4aea

http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_amd64.deb
Size/MD5 checksum: 184652 716cc53985a031d1fe03fede778d6ae5

arm architecture (ARM)


http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_arm.deb
Size/MD5 checksum: 1190314 8686c6a9a9240e6113f92c8bb20d7e1a

http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_arm.deb
Size/MD5 checksum: 254828 49d9c9a250fb4a5a828de5791ee92380

http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_arm.deb
Size/MD5 checksum: 155876 bb45d3104fe4b9811fdb3063da42d3b1

hppa architecture (HP PA RISC)


http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_hppa.deb
Size/MD5 checksum: 1307146 698d7416e4cc544522ce2e25ac9c0fce

http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_hppa.deb
Size/MD5 checksum: 292798 eb9d6d19560a1153cc58ccae3f354a4e

http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_hppa.deb
Size/MD5 checksum: 182568 caade74265ee9d7b8ac77c844c23b413

i386 architecture (Intel ia32)


http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_i386.deb
Size/MD5 checksum: 1177552 f3ccf11b82474593af5e30a272f9edb9

http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_i386.deb
Size/MD5 checksum: 148744 168e58797e74f9b3b6d3c337b6369ca7

http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_i386.deb
Size/MD5 checksum: 266538 3be52b8402d06913624a3e808be58ecb

ia64 architecture (Intel ia64)


http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_ia64.deb
Size/MD5 checksum: 239248 78d1537b3a106824ff5d076e828a0312

http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_ia64.deb
Size/MD5 checksum: 379904 dbc96e1a44dce4bb5f79b9c043823293

http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_ia64.deb
Size/MD5 checksum: 1660854 fcc2873ffd50e45c956d9bcc81d83c51

mips architecture (MIPS (Big Endian))


http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_mips.deb
Size/MD5 checksum: 258210 298f5a83a1efd8c035644fd58df21f2c

http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_mips.deb
Size/MD5 checksum: 185598 b6c67ee072f2de03820e7ce11edb39c3

http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_mips.deb
Size/MD5 checksum: 1205768 3f312958af5ea129384513e5fab72208

mipsel architecture (MIPS (Little Endian))


http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_mipsel.deb
Size/MD5 checksum: 258852 d7ba57787989e3fb5035fce34b04965d

http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_mipsel.deb
Size/MD5 checksum: 187100 46910e3923926ac060c13a7a53f8cac4

http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_mipsel.deb
Size/MD5 checksum: 1188878 5698884b42d7206c2b0c134602861354

powerpc architecture (PowerPC)


http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_powerpc.deb
Size/MD5 checksum: 188914 e03855167b8e13bdb72e47baa9644f86

http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_powerpc.deb
Size/MD5 checksum: 272378 f5741b7ac8f4172e7481f5c2e699231b

http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_powerpc.deb
Size/MD5 checksum: 1243754 2a8b933e956e5ac4bc29028688bb09ec

s390 architecture (IBM S/390)


http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_s390.deb
Size/MD5 checksum: 291822 6b47ac5b7fbc269c1973c494d5dadbc2

http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_s390.deb
Size/MD5 checksum: 168716 f72b023d98d61565c624f7acbf953baf

http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_s390.deb
Size/MD5 checksum: 1241532 0167eb506b063de5435181f40c6cf809

sparc architecture (Sun SPARC/UltraSPARC)


http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_sparc.deb
Size/MD5 checksum: 1177712 770a58d0c60ad11e5ca4cf25159fe2c7

http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_sparc.deb
Size/MD5 checksum: 153682 d8bf20f2a94456451d4ea29d3237d280

http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_sparc.deb
Size/MD5 checksum: 258560 4bfd77d56852608813f158ecfd91b42b


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64,
mips, mipsel, powerpc, s390 and sparc.

Source archives:


http://security.debian.org/pool/updates/main/o/openldap/openldap_2.4.11-1+lenny1.diff.gz
Size/MD5 checksum: 148075 024b717169f42734ee5650ebe2978631

http://security.debian.org/pool/updates/main/o/openldap/openldap_2.4.11-1+lenny1.dsc
Size/MD5 checksum: 1831 ca4cb86b4847a59f95275ff2f4d0e173

http://security.debian.org/pool/updates/main/o/openldap/openldap_2.4.11.orig.tar.gz
Size/MD5 checksum: 4193523 d4e8669e2c9b8d981e371e97e3cf92d9

alpha architecture (DEC Alpha)


http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 3624752 5b4e467360ecd8cc897b03b5aca57dad

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 205526 3b083869976ab4d8d8df69d27fe9480e

http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 280526 4ed333757fef7e98d89c5edda6589b04

http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 1537448 98d6aeab748560a491e0b526d930fc0c

http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 1013148 cc656603f7ae0eacc2b3c22dd1fae967

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 285128 e526e547a4af2c13bf3ae90dfdf023a2

amd64 architecture (AMD x86_64 (AMD64))


http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 1493300 31c077d63cc2ff159927939cadb29808

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 299612 e148216f77a9136adb19acd8df026d6d

http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 267470 f903f46433faa1d2b6b203e50aaed3d8

http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 881074 de337737dd93af0b81bd90e3c6f23377

http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 3664994 8ad4581bd54e1ed7a8f3c1c8bf210c17

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 204896 c0dba3b62aa14392d29f831d6c87206d

arm architecture (ARM)


http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 280140 ccaed923684d35304f50f27fc6b868b3

http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 248918 a08cf9fd18ce8806be437c364179c2b3

http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 877400 614df898211cc5311a62159f6ee21b93

http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 1405962 5e1e62d6f0a5984486fa2eaa478eab38

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 180520 96b5fe5d50b9a1d59eb5ab03489a1b90

http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 3572646 a8e804a9e966a57306a9229acd11ff80

hppa architecture (HP PA RISC)


http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 1533292 8d5c2d83596b10c9d3ee7a4dcb692026

http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 3619256 2ad8452962291b553fadc8bb6398f834

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 200874 27205d8a86701cb133f7507eeef5e76a

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 283816 1163f67e39b08c10cf492b24bd526f24

http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 264158 905749f1e385f9d93c2358b05dc42dfb

http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 999386 6a071952604a9c30483fca7f3a3754ec

i386 architecture (Intel ia32)


http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 189442 879dac84b581979646c49bde9743c630

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 286808 2dcb4f8e5514d9e4d9072b4853da322d

http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 892068 449ba5d6037617e4e93dfd6bcb093549

http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 3560322 c6a6fbc66944bd05585c1065ab012c93

http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 244952 5a5b31ebb9098059e62eb57d209a6846

http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 1404266 a3bffb93ec3b0d0d130a6a7e29091a9b

ia64 architecture (Intel ia64)


http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 3589108 d34afb06a3b21ad7267ef5d31b6ad322

http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 932026 1194a002673f8a73cf382c2333c7882b

http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 352020 e40c570396514fee0c6eee3920be2607

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 269084 1720388cc8102f33122375034a703a05

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 259018 658248f4329555e81896800709302575

http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 2006532 6ad20563d8999759f32445576fd69856

mips architecture (MIPS (Big Endian))


http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 3712752 8d48a2797c1f4e6b5dea203698e4b31c

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 180956 88613b463fcdba79539048ce681d4f5e

http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 260240 f6fa5402a6fc03aef4b87735030969c5

http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 854756 76ad64ab6fe85c5bfc654266101e024a

http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 1394436 4930b2b56c642182c8ccd69d5bc53685

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 302106 3672bab4d2c0c037a1d9c0a61fa16139

powerpc architecture (PowerPC)


http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 3718584 7b120292ce66e7ea85b3ad623da0bb4e

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 295146 f131ea5cdbab25c2416ff06f6697bc08

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 199248 c683d506deb5fadabea906c9dec36c9f

http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 1536614 b5c37ae6f72127bdf6910100edeb06e5

http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 907106 6af4614c092e6ccda8580e6a73cb8728

http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 284952 b75e2ddab46ddab036ef40b21cec63ee

sparc architecture (Sun SPARC/UltraSPARC)


http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 872178 a7739e034d0df26a69e0cb569802d594

http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 249022 334ecf73608e20ec6cff79716cf10fde

http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 1387990 4935db487abd61e04adb3a846ed7aadc

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 260980 006fdd6b90293fdf1331442ccabde568

http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 182822 73c3edfab6b52e772ed36c990c13f210

http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 3502906 c19b8875ae915cec344bb74a5e462e44


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksW4AQACgkQNxpp46476aqFDwCfZRJ0eCTLZ7Wvra3eWlaVIVsK
mWIAniapjMkolimxTFStHJO6vlEk4Fnj
=WbVZ
-----END PGP SIGNATURE-----
"

DSA 1912-2: New advi packages fix arbitrary code executionThe Big Reunion Festival gets ready to party

This entry was posted on 1:48 PM .