Well, considering that Ubuntu openldap maintainers consider e.g. CVE-2013-4449
(denial-of-service, 2.4.31 to 2.4.36 are vulnerable) not important enough to
patch
or update to a later openldap version, I expect there to be zero chance of this
bug
to be patched either. It seems that if it does not
rtandy, this is not specific to slapd, but affects all applications that
use libldap2 and gnutls. Instead of returning a failure at START_TLS,
the library just crashes at a double-free. This makes it difficult to
find the actual problem in services like sssd that crash due to this
bug, although the
Reported upstream at openldap.org, as Incoming/7500,
https://www.openldap.org/its/index.cgi/Incoming?id=7500
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1103353
Title:
Inval
Correct. The workaround to avoid the crash is to use a strictly valid
GnuTLS cipher suite string, for example "NORMAL" or "SECURE128" or
"SECURE192" or "SECURE256".
In those rare cases where those existing defaults are not acceptable
(due to security concerns, for example), the minimal "search.c"
This bugs affects libldap-2.4.-2, at least versions versions 2.4.28
(2.4.28-1.1ubuntu4) and 2.4.31 (2.4.31-1ubuntu2), when compiled against GnuTLS.
The bug exists in latest openldap.org upstream versions from 2.4.28 to 2.4.33
at least; probably since they switched from custom parsing the cipher
Public bug reported:
If the cipher suite string is unacceptable to GnuTLS, libldap_r-2.4
crashes due to a double free. GnuTLS is extremely picky about the cipher
suite strings it accepts; as a first measure, try LDAP cipher suite
string "SECURE256" or "NORMAL". If that stops the crash, then you ha
