[RHSA-2015:2131-03] Moderate: openldap security, bug fix, and enhancement update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: openldap security, bug fix, and enhancement update

Advisory ID: RHSA-2015:2131-03

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2131.html

Issue date: 2015-11-19

CVE Names: CVE-2015-3276

=====================================================================

 

1. Summary:

 

Updated openldap packages that fix one security issue, several bugs, and

add one enhancement are now available for Red Hat Enterprise Linux 7.

 

Red Hat Product Security has rated this update as having Moderate security

impact. A Common Vulnerability Scoring System (CVSS) base score, which

gives a detailed severity rating, is available from the CVE link in the

References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux Client (v. 7) - x86_64

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64

Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

 

3. Description:

 

OpenLDAP is an open-source suite of Lightweight Directory Access Protocol

(LDAP) applications and development tools. LDAP is a set of protocols used

to access and maintain distributed directory information services over an

IP network. The openldap packages contain configuration files, libraries,

and documentation for OpenLDAP.

 

A flaw was found in the way OpenLDAP parsed OpenSSL-style cipher strings.

As a result, OpenLDAP could potentially use ciphers that were not intended

to be enabled. (CVE-2015-3276)

 

This issue was discovered by Martin Poole of the Red Hat Software

Maintenance Engineering group.

 

The openldap packages have been upgraded to upstream version 2.4.40, which

provides a number of bug fixes and one enhancement over the previous

version:

 

* The ORDERING matching rules have been added to the ppolicy attribute type

descriptions.

* The server no longer terminates unexpectedly when processing SRV records.

* Missing objectClass information has been added, which enables the user to

modify the front-end configuration by standard means.

 

(BZ#1147982)

 

This update also fixes the following bugs:

 

* Previously, OpenLDAP did not properly handle a number of simultaneous

updates. As a consequence, sending a number of parallel update requests to

the server could cause a deadlock. With this update, a superfluous locking

mechanism causing the deadlock has been removed, thus fixing the bug.

(BZ#1125152)

 

* The httpd service sometimes terminated unexpectedly with a segmentation

fault on the libldap library unload. The underlying source code has been

modified to prevent a bad memory access error that caused the bug to occur.

As a result, httpd no longer crashes in this situation. (BZ#1158005)

 

* After upgrading the system from Red Hat Enterprise Linux 6 to Red Hat

Enterprise Linux 7, symbolic links to certain libraries unexpectedly

pointed to locations belonging to the openldap-devel package. If the user

uninstalled openldap-devel, the symbolic links were broken and the "rpm -V

openldap" command sometimes produced errors. With this update, the symbolic

links no longer get broken in the described situation. If the user

downgrades openldap to version 2.4.39-6 or earlier, the symbolic links

might break. After such downgrade, it is recommended to verify that the

symbolic links did not break. To do this, make sure the yum-plugin-verify

package is installed and obtain the target libraries by running the "rpm -V

openldap" or "yum verify openldap" command. (BZ#1230263)

 

In addition, this update adds the following enhancement:

 

* OpenLDAP clients now automatically choose the Network Security Services

(NSS) default cipher suites for communication with the server. It is no

longer necessary to maintain the default cipher suites manually in the

OpenLDAP source code. (BZ#1245279)

 

All openldap users are advised to upgrade to these updated packages, which

correct these issues and add this enhancement.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

For details on how to apply this update, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1147982 - Rebase openldap to 2.4.40

1158005 - OpenLDAP crash in NSS shutdown handling

1174634 - pwdChecker library requires version in pwdCheckModule attribute

1174723 - values for pwdChecker are not set to default values

1175415 - openldap: crash in ldap_domain2hostlist when processing SRV records

1184585 - slaptest doesn't convert perlModuleConfig lines

1209229 - openldap-servers leverages 'find' from findutils which is not a dep of the rpm

1226600 - olcDatabase in olcFrontend attribute incorrect/faulty

1230263 - rpm -V openldap complains

1231228 - automount via ldap with TLS/SSL support is not working

1238322 - CVE-2015-3276 openldap: incorrect multi-keyword mode cipherstring parsing

1245279 - OpenLDAP doesn't use sane (or default) cipher order

 

6. Package List:

 

Red Hat Enterprise Linux Client (v. 7):

 

Source:

openldap-2.4.40-8.el7.src.rpm

 

x86_64:

openldap-2.4.40-8.el7.i686.rpm

openldap-2.4.40-8.el7.x86_64.rpm

openldap-clients-2.4.40-8.el7.x86_64.rpm

openldap-debuginfo-2.4.40-8.el7.i686.rpm

openldap-debuginfo-2.4.40-8.el7.x86_64.rpm

 

Red Hat Enterprise Linux Client Optional (v. 7):

 

x86_64:

openldap-debuginfo-2.4.40-8.el7.i686.rpm

openldap-debuginfo-2.4.40-8.el7.x86_64.rpm

openldap-devel-2.4.40-8.el7.i686.rpm

openldap-devel-2.4.40-8.el7.x86_64.rpm

openldap-servers-2.4.40-8.el7.x86_64.rpm

openldap-servers-sql-2.4.40-8.el7.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode (v. 7):

 

Source:

openldap-2.4.40-8.el7.src.rpm

 

x86_64:

openldap-2.4.40-8.el7.i686.rpm

openldap-2.4.40-8.el7.x86_64.rpm

openldap-clients-2.4.40-8.el7.x86_64.rpm

openldap-debuginfo-2.4.40-8.el7.i686.rpm

openldap-debuginfo-2.4.40-8.el7.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

 

x86_64:

openldap-debuginfo-2.4.40-8.el7.i686.rpm

openldap-debuginfo-2.4.40-8.el7.x86_64.rpm

openldap-devel-2.4.40-8.el7.i686.rpm

openldap-devel-2.4.40-8.el7.x86_64.rpm

openldap-servers-2.4.40-8.el7.x86_64.rpm

openldap-servers-sql-2.4.40-8.el7.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 7):

 

Source:

openldap-2.4.40-8.el7.src.rpm

 

aarch64:

openldap-2.4.40-8.el7.aarch64.rpm

openldap-clients-2.4.40-8.el7.aarch64.rpm

openldap-debuginfo-2.4.40-8.el7.aarch64.rpm

openldap-devel-2.4.40-8.el7.aarch64.rpm

openldap-servers-2.4.40-8.el7.aarch64.rpm

 

ppc64:

openldap-2.4.40-8.el7.ppc.rpm

openldap-2.4.40-8.el7.ppc64.rpm

openldap-clients-2.4.40-8.el7.ppc64.rpm

openldap-debuginfo-2.4.40-8.el7.ppc.rpm

openldap-debuginfo-2.4.40-8.el7.ppc64.rpm

openldap-devel-2.4.40-8.el7.ppc.rpm

openldap-devel-2.4.40-8.el7.ppc64.rpm

openldap-servers-2.4.40-8.el7.ppc64.rpm

 

ppc64le:

openldap-2.4.40-8.el7.ppc64le.rpm

openldap-clients-2.4.40-8.el7.ppc64le.rpm

openldap-debuginfo-2.4.40-8.el7.ppc64le.rpm

openldap-devel-2.4.40-8.el7.ppc64le.rpm

openldap-servers-2.4.40-8.el7.ppc64le.rpm

 

s390x:

openldap-2.4.40-8.el7.s390.rpm

openldap-2.4.40-8.el7.s390x.rpm

openldap-clients-2.4.40-8.el7.s390x.rpm

openldap-debuginfo-2.4.40-8.el7.s390.rpm

openldap-debuginfo-2.4.40-8.el7.s390x.rpm

openldap-devel-2.4.40-8.el7.s390.rpm

openldap-devel-2.4.40-8.el7.s390x.rpm

openldap-servers-2.4.40-8.el7.s390x.rpm

 

x86_64:

openldap-2.4.40-8.el7.i686.rpm

openldap-2.4.40-8.el7.x86_64.rpm

openldap-clients-2.4.40-8.el7.x86_64.rpm

openldap-debuginfo-2.4.40-8.el7.i686.rpm

openldap-debuginfo-2.4.40-8.el7.x86_64.rpm

openldap-devel-2.4.40-8.el7.i686.rpm

openldap-devel-2.4.40-8.el7.x86_64.rpm

openldap-servers-2.4.40-8.el7.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 7):

 

aarch64:

openldap-debuginfo-2.4.40-8.el7.aarch64.rpm

openldap-servers-sql-2.4.40-8.el7.aarch64.rpm

 

ppc64:

openldap-debuginfo-2.4.40-8.el7.ppc64.rpm

openldap-servers-sql-2.4.40-8.el7.ppc64.rpm

 

ppc64le:

openldap-debuginfo-2.4.40-8.el7.ppc64le.rpm

openldap-servers-sql-2.4.40-8.el7.ppc64le.rpm

 

s390x:

openldap-debuginfo-2.4.40-8.el7.s390x.rpm

openldap-servers-sql-2.4.40-8.el7.s390x.rpm

 

x86_64:

openldap-debuginfo-2.4.40-8.el7.x86_64.rpm

openldap-servers-sql-2.4.40-8.el7.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 7):

 

Source:

openldap-2.4.40-8.el7.src.rpm

 

x86_64:

openldap-2.4.40-8.el7.i686.rpm

openldap-2.4.40-8.el7.x86_64.rpm

openldap-clients-2.4.40-8.el7.x86_64.rpm

openldap-debuginfo-2.4.40-8.el7.i686.rpm

openldap-debuginfo-2.4.40-8.el7.x86_64.rpm

openldap-devel-2.4.40-8.el7.i686.rpm

openldap-devel-2.4.40-8.el7.x86_64.rpm

openldap-servers-2.4.40-8.el7.x86_64.rpm

 

Red Hat Enterprise Linux Workstation Optional (v. 7):

 

x86_64:

openldap-debuginfo-2.4.40-8.el7.x86_64.rpm

openldap-servers-sql-2.4.40-8.el7.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2015-3276

https://access.redhat.com/security/updates/classification/#moderate

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2015 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFWTkAqXlSAg2UNWIIRApiCAJ44SptkF3iHK4PzvRFEUVr9a7n1/QCfRzvk

RLWIUgb0gZuTaV7Oz1bKfvI=

=qJ1g

-----END PGP SIGNATURE-----

 

--