CentOS Errata and Security Advisory CESA-2015:2131
OpenLDAP is an open-source suite of Lightweight Directory Access Protocol
(LDAP) applications and development tools. LDAP is a set of protocols used
to access and maintain distributed directory information services over an
IP network. The openldap packages contain configuration files, libraries,
and documentation for OpenLDAP.
A flaw was found in the way OpenLDAP parsed OpenSSL-style cipher strings.
As a result, OpenLDAP could potentially use ciphers that were not intended
to be enabled. (CVE-2015-3276)
This issue was discovered by Martin Poole of the Red Hat Software
Maintenance Engineering group.
The openldap packages have been upgraded to upstream version 2.4.40, which
provides a number of bug fixes and one enhancement over the previous
version:
(BZ#1147982)
This update also fixes the following bugs:
Previously, OpenLDAP did not properly handle a number of simultaneous
updates. As a consequence, sending a number of parallel update requests to
the server could cause a deadlock. With this update, a superfluous locking
mechanism causing the deadlock has been removed, thus fixing the bug.
(BZ#1125152)
The httpd service sometimes terminated unexpectedly with a segmentation
fault on the libldap library unload. The underlying source code has been
modified to prevent a bad memory access error that caused the bug to occur.
As a result, httpd no longer crashes in this situation. (BZ#1158005)
After upgrading the system from Red Hat Enterprise Linux 6 to Red Hat
Enterprise Linux 7, symbolic links to certain libraries unexpectedly
pointed to locations belonging to the openldap-devel package. If the user
uninstalled openldap-devel, the symbolic links were broken and the “rpm -V
openldap” command sometimes produced errors. With this update, the symbolic
links no longer get broken in the described situation. If the user
downgrades openldap to version 2.4.39-6 or earlier, the symbolic links
might break. After such downgrade, it is recommended to verify that the
symbolic links did not break. To do this, make sure the yum-plugin-verify
package is installed and obtain the target libraries by running the “rpm -V
openldap” or “yum verify openldap” command. (BZ#1230263)
In addition, this update adds the following enhancement:
All openldap users are advised to upgrade to these updated packages, which
correct these issues and add this enhancement.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2015-November/028786.html
Affected packages:
openldap
openldap-clients
openldap-devel
openldap-servers
openldap-servers-sql
Upstream details at:
https://access.redhat.com/errata/RHSA-2015:2131
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 7 | i686 | openldap | < 2.4.40-8.el7 | openldap-2.4.40-8.el7.i686.rpm |
CentOS | 7 | x86_64 | openldap | < 2.4.40-8.el7 | openldap-2.4.40-8.el7.x86_64.rpm |
CentOS | 7 | x86_64 | openldap-clients | < 2.4.40-8.el7 | openldap-clients-2.4.40-8.el7.x86_64.rpm |
CentOS | 7 | i686 | openldap-devel | < 2.4.40-8.el7 | openldap-devel-2.4.40-8.el7.i686.rpm |
CentOS | 7 | x86_64 | openldap-devel | < 2.4.40-8.el7 | openldap-devel-2.4.40-8.el7.x86_64.rpm |
CentOS | 7 | x86_64 | openldap-servers | < 2.4.40-8.el7 | openldap-servers-2.4.40-8.el7.x86_64.rpm |
CentOS | 7 | x86_64 | openldap-servers-sql | < 2.4.40-8.el7 | openldap-servers-sql-2.4.40-8.el7.x86_64.rpm |