CVE-2011-1024
Published: 19 March 2011
chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24, when a master-slave configuration with a chain overlay and ppolicy_forward_updates (aka authentication-failure forwarding) is used, allows remote authenticated users to bypass external-program authentication by sending an invalid password to a slave server.
Notes
| Author | Note |
|---|---|
| jdstrand | openldap 2.2 does not use callbacks for checking if back-ldap returned any results |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openldap Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| karmic |
Released
(2.4.18-0ubuntu1.2)
|
|
| lucid |
Released
(2.4.21-0ubuntu5.4)
|
|
| maverick |
Released
(2.4.23-0ubuntu3.5)
|
|
| upstream |
Needs triage
|
|
|
Patches: vendor: https://rhn.redhat.com/errata/RHSA-2011-0347.html |
||
|
openldap2.2 Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(code not present)
|
| hardy |
Does not exist
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
openldap2.3 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Released
(2.4.9-0ubuntu0.8.04.5)
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| upstream |
Needs triage
|
|