Hi Andrew, please send all security-critical notifications about bugs to security@suse.de, the security contact address for SuSE. My personal address is not too bad either, but if I'm not there, the team must be able to deal with the information. I am forwarding the mail internally. Thanks for the report! Regards, Roman Drahtmüller, SuSE Security.
Hello all,
I have found a bug that I think is critical in the package openldap2-2.0.11-45 as supplied from SuSE for 7.2 Professional.
I have noticed this bug was also present in openldap2-2.0.11-39, however it is not present in the original openldap2-2.0.11 package that shipped on the SuSE Linux 7.2 Professional CD's
The bug can be used to create a DoS-type attack when OpenLDAP is used with the qmail.schema from qmail-ldap as found here http://www.nrg4u.com/ . I have not tested if other schemas will also cause this error yet, I do not think that it is a problem with the schema due to the fact that it worked with the original OpenLDAP from the 7.2 CD's. I think that it is more likely to be an unhandled exception in this version of OpenLDAP.
When doing this search :
ldapsearch -h localhost -D "cn=administrator,o=oldhammbc,c=uk" -W -L -b "o=oldhammbc,c=uk" -x "qmailUID=503"
It completely quit all slapd processes, causing the LDAP service to be stopped and thus a DoS to users.
I have tested this on a manually compiled version of slapd from OpenLDAP-2.0.23 replacing the slapd binary that comes with the openldap2-2.0.11-45 package and it does not crash - these are the reasons I am confident that there is a problem with the package from SuSE rather than the qmail part of the installation.
As yet I am unable to do more investigations regarding the exact specifics of the problem.
I have cc'd this email to Roman Drahtmüller however I do not know if he is the correct person to send this to, if he isn't I would like to know who to report this to.
Thanks in advance for any replies or help.
-- Thanks
Andrew McCall Internet System Administrator I.C.T. Division Oldham MBC Civic Centre West Street Oldham OL1 1UU
Tel : 0161 911 3990 Fax : 0161 911 3998 Email : it.andrew.mccall@oldham.gov.uk
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.
This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses.
www.oldham.gov.uk
-- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -