Debian Bug report logs -
#377047
slapd: Vulnerable to CVE-2006-2754 (buffer overflow)
Reported by: Martin Pitt <mpitt@debian.org>
Date: Thu, 6 Jul 2006 11:18:07 UTC
Severity: important
Tags: patch
Merged with 375494
Found in version openldap2.2/2.2.26-5
Fixed in version 2.3.24-1
Done: Russ Allbery <rra@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#377047; Package slapd.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
New Bug report received and forwarded. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: slapd
Version: 2.2.26-5
Severity: important
Tags: security patch
Hi!
There is a buffer overflow in st.c. Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2754
for links to more detailled descriptions and a pointer to the upstream
CVS patch.
Please mention the CVE number in the changelog when you fix this.
Thank you!
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#377047; Package slapd.
(full text, mbox, link).
Acknowledgement sent to Torsten Landschoff <torsten@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #10 received at 377047@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Martin,
On Thu, Jul 06, 2006 at 01:05:15PM +0200, Martin Pitt wrote:
> There is a buffer overflow in st.c. Please see
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2754
>
> for links to more detailled descriptions and a pointer to the upstream
> CVS patch.
>
> Please mention the CVE number in the changelog when you fix this.
How is the current procedure for security uploads (RTFM pointer is good
enough)? We can surely provide an updated package for sarge but I fear
duplicated work with the security team.
@Matthijs: I can build an updated sarge package by tomorrow I think, any
objections?
Greetings
Torsten
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#377047; Package slapd.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #15 received at 377047@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Torsten,
Torsten Landschoff [2006-07-08 17:42 +0200]:
> > There is a buffer overflow in st.c. Please see
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2754
> >
> > for links to more detailled descriptions and a pointer to the upstream
> > CVS patch.
> >
> > Please mention the CVE number in the changelog when you fix this.
>
> How is the current procedure for security uploads (RTFM pointer is good
> enough)? We can surely provide an updated package for sarge but I fear
> duplicated work with the security team.
Normally the security team is glad to get security updates prepared by
the maintainers. Please just mail security@d.o. with a short
description and the CVE number and tell them that you will prepare an
update. Then follow up with a source package and they will you give ok
to upload or discuss changes with you.
http://www.de.debian.org/doc/developers-reference/ch-pkgs.en.html#s-bug-security
has some more details.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Bug marked as not found in version 2.3.24-1.
Request was from Matthijs Mohlmann <matthijs@cacholong.nl>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as not found in version 2.3.24-1.
Request was from Matthijs Mohlmann <matthijs@cacholong.nl>
to control@bugs.debian.org.
(full text, mbox, link).
Tags removed: security
Request was from Neil McGovern <neilm@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 28 Jun 2007 00:46:41 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Stefano Zacchiroli <zack@debian.org>
to control@bugs.debian.org.
(Sun, 10 Apr 2011 08:48:11 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 09 May 2011 07:42:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Oct 11 12:06:37 2017;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.