(RHSA-2010:0198) Moderate: openldap security and bug fix update

OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools.

A flaw was found in the way OpenLDAP handled NUL characters in the
CommonName field of X.509 certificates. An attacker able to get a
carefully-crafted certificate signed by a trusted Certificate Authority
could trick applications using OpenLDAP libraries into accepting it by
mistake, allowing the attacker to perform a man-in-the-middle attack.
(CVE-2009-3767)

This update also fixes the following bugs:

• the ldap init script did not provide a way to alter system limits for the
  slapd daemon. A variable is now available in “/etc/sysconfig/ldap” for this
  option. (BZ#527313)

• applications that use the OpenLDAP libraries to contact a Microsoft
  Active Directory server could crash when a large number of network
  interfaces existed. This update implements locks in the OpenLDAP library
  code to resolve this issue. (BZ#510522)

• when slapd was configured to allow client certificates, approximately 90%
  of connections froze because of a large CA certificate file and slapd not
  checking the success of the SSL handshake. (BZ#509230)

• the OpenLDAP server would freeze for unknown reasons under high load.
  These packages add support for accepting incoming connections by new
  threads, resolving the issue. (BZ#507276)

• the compat-openldap libraries did not list dependencies on other
  libraries, causing programs that did not specifically specify the libraries
  to fail. Detection of the Application Binary Interface (ABI) in use on
  64-bit systems has been added with this update. (BZ#503734)

• the OpenLDAP libraries caused applications to crash due to an unprocessed
  network timeout. A timeval of -1 is now passed when NULL is passed to LDAP.
  (BZ#495701)

• slapd could crash on a server under heavy load when using rwm overlay,
  caused by freeing non-allocated memory during operation cleanup.
  (BZ#495628)

• the ldap init script made a temporary script in “/tmp/” and attempted to
  execute it. Problems arose when “/tmp/” was mounted with the noexec option.
  The temporary script is no longer created. (BZ#483356)

• the ldap init script always started slapd listening on ldap:/// even if
  instructed to listen only on ldaps:///. By correcting the init script, a
  user can now select which ports slapd should listen on. (BZ#481003)

• the slapd manual page did not mention the supported options -V and -o.
  (BZ#468206)

• slapd.conf had a commented-out option to load the syncprov.la module.
  Once un-commented, slapd crashed at start-up because the module had already
  been statically linked to OpenLDAP. This update removes “moduleload
  syncprov.la” from slapd.conf, which resolves this issue. (BZ#466937)

• the migrate_automount.pl script produced output that was unsupported by
  autofs. This is corrected by updating the output LDIF format for automount
  records. (BZ#460331)

• the ldap init script uses the TERM signal followed by the KILL signal
  when shutting down slapd. Minimal delay between the two signals could cause
  the LDAP database to become corrupted if it had not finished saving its
  state. A delay between the signals has been added via the “STOP_DELAY”
  option in “/etc/sysconfig/ldap”. (BZ#452064)

• the migrate_passwd.pl migration script had a problem when number fields
  contained only a zero. Such fields were considered to be empty, leading to
  the attribute not being set in the LDIF output. The condition in
  dump_shadow_attributes has been corrected to allow for the attributes to
  contain only a zero. (BZ#113857)

• the migrate_base.pl migration script did not handle third level domains
  correctly, creating a second level domain that could not be held by a
  database with a three level base. This is now allowed by modifying the
  migrate_base.pl script to generate only one domain. (BZ#104585)

Users of OpenLDAP should upgrade to these updated packages, which resolve
these issues.