OracleVM 3.2 : openldap (OVMSA-2016-0069)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- CVE-2015-6908 openldap: ber_get_next denial of service
vulnerability (#1263170)

- fix: syncprov psearch race condition (#999811)

- fix: CVE-2013-4449 segfault on certain queries with rwm
overlay (#1064146)

- fix: do not send IPv6 DNS queries when IPv6 is disabled
on the host (#812772)

- fix: disable static libraries stripping (#684630)

- fix: memory leaks in syncrepl and slap_sl_free (#741184)

- new feature update: honor priority/weight with
ldap_domain2hostlist (#733435)

- fix: initscript marked as %config incorrectly (#738768)

- new feature: honor priority/weight with
ldap_domain2hostlist (#733435)

- fix: strict aliasing warnings during package build
(#732381)

- fix: OpenLDAP packages lack debug data (#684630)

- doc: Document preferred use of TLS_CACERT instead of
TLS_CACERTDIR to specify Certificate Authorities
(#699652)

- fix: libldap ignores a directory of CA certificates if
any of them can't be read (#609722)

- fix: Migration: migrate_all_offline.sh can't handle
duplicate entries (#563148)

- fix: Init script is working wrong if database recovery
is needed (#604092)

- fix: CVE-2011-1024 ppolicy forwarded bind failure
messages cause success (#680486)

- fix: slapd concurrent access to connections causes slapd
to silently die (#641953)

- backport: ldap_init_fd API function

- fix: ppolicy crash while replace-deleting userPassword
attribute (#665951)

- fix: connection freeze when using TLS (#591419)

- don't remove task twice during replication

- fixed segfault issues in modrdn (#606375)

- added patch handling null char in TLS to compat package
(#606375, patch backported by Jan Vcelak )

See also :

https://oss.oracle.com/pipermail/oraclevm-errata/2016-June/000489.html

Solution :

Update the affected openldap / openldap-clients packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: OracleVM Local Security Checks

Nessus Plugin ID: 91749 ()

Bugtraq ID: 46363
63190

CVE ID: CVE-2011-1024
CVE-2013-4449
CVE-2015-6908

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now