Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.871489
Category:Red Hat Local Security Checks
Title:RedHat Update for openldap RHSA-2015:2131-03
Summary:The remote host is missing an update for the 'openldap'; package(s) announced via the referenced advisory.
Description:Summary:
The remote host is missing an update for the 'openldap'
package(s) announced via the referenced advisory.

Vulnerability Insight:
OpenLDAP is an open-source suite of Lightweight
Directory Access Protocol (LDAP) applications and development tools. LDAP is a set
of protocols used to access and maintain distributed directory information services
over an IP network. The openldap packages contain configuration files, libraries,
and documentation for OpenLDAP.

A flaw was found in the way OpenLDAP parsed OpenSSL-style cipher strings.
As a result, OpenLDAP could potentially use ciphers that were not intended
to be enabled. (CVE-2015-3276)

This issue was discovered by Martin Poole of the Red Hat Software
Maintenance Engineering group.

The openldap packages have been upgraded to upstream version 2.4.40, which
provides a number of bug fixes and one enhancement over the previous
version:

* The ORDERING matching rules have been added to the ppolicy attribute type
descriptions.

* The server no longer terminates unexpectedly when processing SRV records.

* Missing objectClass information has been added, which enables the user to
modify the front-end configuration by standard means.

(BZ#1147982)

This update also fixes the following bugs:

* Previously, OpenLDAP did not properly handle a number of simultaneous
updates. As a consequence, sending a number of parallel update requests to
the server could cause a deadlock. With this update, a superfluous locking
mechanism causing the deadlock has been removed, thus fixing the bug.
(BZ#1125152)

* The httpd service sometimes terminated unexpectedly with a segmentation
fault on the libldap library unload. The underlying source code has been
modified to prevent a bad memory access error that caused the bug to occur.
As a result, httpd no longer crashes in this situation. (BZ#1158005)

* After upgrading the system from Red Hat Enterprise Linux 6 to Red Hat
Enterprise Linux 7, symbolic links to certain libraries unexpectedly
pointed to locations belonging to the openldap-devel package. If the user
uninstalled openldap-devel, the symbolic links were broken and the 'rpm -V
openldap' command sometimes produced errors. With this update, the symbolic
links no longer get broken in the described situation. If the user
downgrades openldap to version 2.4.39-6 or earlier, the symbolic links
might break. After such downgrade, it is recommended to verify that the
symbolic links did not break. To do this, make sure the yum-plugin-verify
package is installed and obtain the target libraries by running the 'rpm -V
openldap' or 'yum verify openldap' command. (BZ#1230263)

In addition, this update adds the following enhancement:

* OpenLDAP clients now automatically choose the Netwo ...

Description truncated, please see the referenced URL(s) for more information.

Affected Software/OS:
openldap on Red Hat Enterprise Linux Server (v. 7)

Solution:
Please Install the Updated Packages.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2015-3276
RedHat Security Advisories: RHSA-2015:2131
http://rhn.redhat.com/errata/RHSA-2015-2131.html
http://www.securitytracker.com/id/1034221
CopyrightCopyright (C) 2015 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2021 E-Soft Inc. All rights reserved.