SUSE-SU-2015:0887-1: moderate: Security update for openldap2

Fri May 15 14:05:09 MDT 2015

   SUSE Security Update: Security update for openldap2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:0887-1
Rating:             moderate
References:         #846389 #905959 #916897 #916914 
Cross-References:   CVE-2013-4449 CVE-2015-1545 CVE-2015-1546

Affected Products:
                    SUSE Linux Enterprise Software Development Kit 11 SP3
                    SUSE Linux Enterprise Server 11 SP3 for VMware
                    SUSE Linux Enterprise Server 11 SP3
                    SUSE Linux Enterprise Security Module 11 SP3
                    SUSE Linux Enterprise Desktop 11 SP3
______________________________________________________________________________

   An update that solves three vulnerabilities and has one
   errata is now available.

Description:

   openldap2 was updated to fix three security issues and one non-security
    bug.

   The following vulnerabilities were fixed:

       * A remote attacker could cause a denial of service (slapd crash) by
         unbinding immediately after a search request. (bnc#846389,
         CVE-2013-4449)
       * A remote attacker could cause a denial of service through a NULL
         pointer dereference and crash via an empty attribute list in a deref
         control in a search request. (bnc#916897, CVE-2015-1545)
       * A remote attacker could cause a denial of service (crash) via a
         crafted search query with a matched values control. (bnc#916914,
         CVE-2015-1546)

   The following non-security bug was fixed:

       * Prevent connection-0 (internal connection) from showing up in the
         monitor back-end. (bnc#905959)

   Security Issues:

       * CVE-2015-1546
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546>
       * CVE-2015-1545
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545>
       * CVE-2013-4449
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4449>

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 11 SP3:

      zypper in -t patch sdksp3-openldap2-20150423=10635

   - SUSE Linux Enterprise Server 11 SP3 for VMware:

      zypper in -t patch slessp3-openldap2-20150423=10635

   - SUSE Linux Enterprise Server 11 SP3:

      zypper in -t patch slessp3-openldap2-20150423=10635

   - SUSE Linux Enterprise Security Module 11 SP3:

      zypper in -t patch secsp3-openldap2-20150423=10635

   - SUSE Linux Enterprise Desktop 11 SP3:

      zypper in -t patch sledsp3-openldap2-20150423=10635

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64):

      openldap2-back-perl-2.4.26-0.30.1
      openldap2-devel-2.4.26-0.30.1

   - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64):

      openldap2-devel-32bit-2.4.26-0.30.1

   - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64):

      openldap2-2.4.26-0.30.1

   - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64):

      compat-libldap-2_3-0-2.3.37-2.30.1
      libldap-2_4-2-2.4.26-0.30.1
      openldap2-2.4.26-0.30.1
      openldap2-back-meta-2.4.26-0.30.1
      openldap2-client-2.4.26-0.30.1

   - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64):

      libldap-2_4-2-32bit-2.4.26-0.30.1

   - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64):

      compat-libldap-2_3-0-2.3.37-2.30.1
      libldap-2_4-2-2.4.26-0.30.1
      openldap2-2.4.26-0.30.1
      openldap2-back-meta-2.4.26-0.30.1
      openldap2-client-2.4.26-0.30.1

   - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64):

      libldap-2_4-2-32bit-2.4.26-0.30.1

   - SUSE Linux Enterprise Server 11 SP3 (ia64):

      libldap-2_4-2-x86-2.4.26-0.30.1

   - SUSE Linux Enterprise Security Module 11 SP3 (i586 ia64 ppc64 s390x x86_64):

      libldap-openssl1-2_4-2-2.4.26-0.30.2

   - SUSE Linux Enterprise Security Module 11 SP3 (ppc64 s390x x86_64):

      libldap-openssl1-2_4-2-32bit-2.4.26-0.30.2

   - SUSE Linux Enterprise Security Module 11 SP3 (ia64):

      libldap-openssl1-2_4-2-x86-2.4.26-0.30.2

   - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64):

      libldap-2_4-2-2.4.26-0.30.1
      openldap2-client-2.4.26-0.30.1

   - SUSE Linux Enterprise Desktop 11 SP3 (x86_64):

      libldap-2_4-2-32bit-2.4.26-0.30.1

References:

   https://www.suse.com/security/cve/CVE-2013-4449.html
   https://www.suse.com/security/cve/CVE-2015-1545.html
   https://www.suse.com/security/cve/CVE-2015-1546.html
   https://bugzilla.suse.com/846389
   https://bugzilla.suse.com/905959
   https://bugzilla.suse.com/916897
   https://bugzilla.suse.com/916914
   https://download.suse.com/patch/finder/?keywords=0928f5c9a167750a8d91b2beccf9a178