| Description: | Summary:
The remote host is missing an update for the 'openldap'
package(s) announced via the referenced advisory.
Vulnerability Insight:
Multiple vulnerabilities has been identified and fixed in openldap:
chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24,
when a master-slave configuration with a chain overlay and
ppolicy_forward_updates (aka authentication-failure forwarding) is
used, allows remote authenticated users to bypass external-program
authentication by sending an invalid password to a slave server
(CVE-2011-1024).
bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require
authentication for the root Distinguished Name (DN), which allows
remote attackers to bypass intended access restrictions via an
arbitrary password (CVE-2011-1025).
modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote
attackers to cause a denial of service (daemon crash) via a relative
Distinguished Name (DN) modification request (aka MODRDN operation)
that contains an empty value for the OldDN field (CVE-2011-1081).
The updated packages have been patched to correct these issues.
Affected Software/OS:
openldap on Mandriva Linux 2010.0,
Mandriva Linux 2010.0/X86_64,
Mandriva Linux 2010.1,
Mandriva Linux 2010.1/X86_64
Solution:
Please Install the Updated Packages.
CVSS Score:
6.8
CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
