Oracle Linux Local Security Checks : Oracle: Security Advisory (ELSA-2015-2131)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.122741

Category: Oracle Linux Local Security Checks

Title: Oracle: Security Advisory (ELSA-2015-2131)

Summary: The remote host is missing an update for the 'openldap' package(s) announced via the ELSA-2015-2131 advisory.

Description: Summary:
The remote host is missing an update for the 'openldap' package(s) announced via the ELSA-2015-2131 advisory.

Vulnerability Insight:
[2.4.40-8]
- NSS does not support string ordering (#1231522)
- implement and correct order of parsing attributes (#1231522)
- add multi_mask and multi_strength to correctly handle sets of attributes (#1231522)
- add new cipher suites and correct AES-GCM attributes (#1245279)
- correct DEFAULT ciphers handling to exclude eNULL cipher suites (#1245279)

[2.4.40-7]
- Merge two MozNSS cipher suite definition patches into one. (#1245279)
- Use what NSS considers default for DEFAULT cipher string. (#1245279)
- Remove unnecessary defaults from ciphers' definitions (#1245279)

[2.4.40-6]
- fix: OpenLDAP shared library destructor triggers memory leaks in NSPR (#1249977)

[2.4.40-5]
- enhancement: support TLS 1.1 and later (#1231522,#1160467)
- fix: openldap ciphersuite parsing code handles masks incorrectly (#1231522)
- fix the patch in commit da1b5c (fix: OpenLDAP crash in NSS shutdown handling) (#1231228)

[2.4.40-4]
- fix: rpm -V complains (#1230263) -- make the previous fix do what was intended

[2.4.40-3]
- fix: rpm -V complains (#1230263)

[2.4.40-2]
- fix: missing frontend database indexing (#1226600)

[2.4.40-1]
- new upstream release (#1147982)
- fix: PIE and RELRO check (#1092562)
- fix: slaptest doesn't convert perlModuleConfig lines (#1184585)
- fix: OpenLDAP crash in NSS shutdown handling (#1158005)
- fix: slapd.service may fail to start if binding to NIC ip (#1198781)
- fix: deadlock during SSL_ForceHandshake when getting connection to replica (#1125152)
- improve check_password (#1174723, #1196243)
- provide an unversioned symlink to check_password.so.1.1 (#1174634)
- add findutils to requires (#1209229)

Affected Software/OS:
'openldap' package(s) on Oracle Linux 7.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2015-3276
1034221
http://www.securitytracker.com/id/1034221
RHSA-2015:2131
http://rhn.redhat.com/errata/RHSA-2015-2131.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
https://bugzilla.redhat.com/show_bug.cgi?id=1238322

Copyright Copyright (C) 2015 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.122741
Category:	Oracle Linux Local Security Checks
Title:	Oracle: Security Advisory (ELSA-2015-2131)
Summary:	The remote host is missing an update for the 'openldap' package(s) announced via the ELSA-2015-2131 advisory.
Description:	Summary: The remote host is missing an update for the 'openldap' package(s) announced via the ELSA-2015-2131 advisory. Vulnerability Insight: [2.4.40-8] - NSS does not support string ordering (#1231522) - implement and correct order of parsing attributes (#1231522) - add multi_mask and multi_strength to correctly handle sets of attributes (#1231522) - add new cipher suites and correct AES-GCM attributes (#1245279) - correct DEFAULT ciphers handling to exclude eNULL cipher suites (#1245279) [2.4.40-7] - Merge two MozNSS cipher suite definition patches into one. (#1245279) - Use what NSS considers default for DEFAULT cipher string. (#1245279) - Remove unnecessary defaults from ciphers' definitions (#1245279) [2.4.40-6] - fix: OpenLDAP shared library destructor triggers memory leaks in NSPR (#1249977) [2.4.40-5] - enhancement: support TLS 1.1 and later (#1231522,#1160467) - fix: openldap ciphersuite parsing code handles masks incorrectly (#1231522) - fix the patch in commit da1b5c (fix: OpenLDAP crash in NSS shutdown handling) (#1231228) [2.4.40-4] - fix: rpm -V complains (#1230263) -- make the previous fix do what was intended [2.4.40-3] - fix: rpm -V complains (#1230263) [2.4.40-2] - fix: missing frontend database indexing (#1226600) [2.4.40-1] - new upstream release (#1147982) - fix: PIE and RELRO check (#1092562) - fix: slaptest doesn't convert perlModuleConfig lines (#1184585) - fix: OpenLDAP crash in NSS shutdown handling (#1158005) - fix: slapd.service may fail to start if binding to NIC ip (#1198781) - fix: deadlock during SSL_ForceHandshake when getting connection to replica (#1125152) - improve check_password (#1174723, #1196243) - provide an unversioned symlink to check_password.so.1.1 (#1174634) - add findutils to requires (#1209229) Affected Software/OS: 'openldap' package(s) on Oracle Linux 7. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2015-3276 1034221 http://www.securitytracker.com/id/1034221 RHSA-2015:2131 http://rhn.redhat.com/errata/RHSA-2015-2131.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html https://bugzilla.redhat.com/show_bug.cgi?id=1238322
Copyright	Copyright (C) 2015 Greenbone AG