| VID |
12094 |
| Severity |
30 |
| Port |
389 |
| Protocol |
TCP |
| Class |
LDAP |
| Detailed Description |
The host appears to be running OpenLDAP, which is vulnerable to a denial of service attack via LDAP BIND requests. OpenLDAP is a freely available, open source LDAP directory implementation. OpenLDAP versions prior to 2.3.29 are vulnerable to a denial of service attack, caused by an error when processing BIND requests. A remote, unauthenticated attacker could send a specially-crafted BIND request with long authcid names to cause the server to crash.
* References:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=4740
http://www.securityfocus.com/archive/1/450728/30/0/threaded
http://www.frsirt.com/english/advisories/2006/4379
http://secunia.com/advisories/22750/
* Platforms Affected:
OpenLDAP versions prior to 2.3.29
Linux Any version |
| Recommendation |
Upgrade to the latest version of OpenLDAP, available from the OpenLDAP Download FTP site at ftp://ftp.openpkg.org/release
For Mandriva Linux:
Upgrade to a fixed package version of openldap, as listed in Mandriva Linux Security Advisory MDKSA-2006:208 at http://www.mandriva.com/security/advisories?name=MDKSA-2006:208
For Ubuntu Linux:
Upgrade to a fixed package version of openldap, as listed in Ubuntu Security Notice USN-384-1 at http://www.ubuntu.com/usn/usn-384-1
For Gentoo Linux:
Upgrade to the fixed version of OpenLDAP, as listed in Gentoo Linux Security Announcement GLSA 200611-25 at http://www.gentoo.org/security/en/glsa/glsa-200611-25.xml |
| Related URL |
CVE-2006-5779 (CVE) |
| Related URL |
20939 (SecurityFocus) |
| Related URL |
30076 (ISS) |
|
