CVE-2015-6908

Published: 11 September 2015

The ber_get_next function in libraries/liblber/io.c in OpenLDAP 2.4.42 and earlier allows remote attackers to cause a denial of service (reachable assertion and application crash) via crafted BER data, as demonstrated by an attack against slapd.

Priority

Status

Package	Release	Status
openldap Launchpad, Ubuntu, Debian	precise	Released (2.4.28-1.1ubuntu4.6)
	trusty	Released (2.4.31-1+nmu2ubuntu8.2)
	upstream	Released (2.4.42+dfsg-2)
	vivid	Released (2.4.31-1+nmu2ubuntu12.3)
	Patches: upstream: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=6fe51a9ab04fd28bbc171da3cf12f1c1040d6629

References

http://www.openwall.com/lists/oss-security/2015/09/11/2
https://ubuntu.com/security/notices/USN-2742-1
https://www.cve.org/CVERecord?id=CVE-2015-6908
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798622
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›