Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • Adélie Package Tree Adélie Package Tree
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Graph
    • Compare revisions
  • Issues 162
    • Issues 162
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 17
    • Merge requests 17
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Adélie LinuxAdélie Linux
  • Adélie Package TreeAdélie Package Tree
  • Issues
  • #165
Closed
Open
Issue created Jul 31, 2019 by Emily@emily🤖

user/openldap: multiple vulnerabilities

Bugzilla ID 165
Alias(es) CVE-2019-13057, CVE-2019-13565
Reporter Max Rees (sroracle)
Assignee Max Rees (sroracle)
Reported 2019-07-31 10:54:52 -0500
Modified 2019-08-04 19:18:42 -0500
Status RESOLVED FIXED
Version 1.0-BETA3
Hardware Adélie Linux / All
Importance --- / normal

Description

CVE-2019-13057: https://nvd.nist.gov/vuln/detail/CVE-2019-13057

An issue was discovered in the server in OpenLDAP before 2.4.48. When
the server administrator delegates rootDN (database admin) privileges
for certain databases but wants to maintain isolation (e.g., for
multi-tenant deployments), slapd does not properly stop a rootDN from
requesting authorization as an identity from another database during a
SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common
configuration to deploy a system where the server administrator and a
DB administrator enjoy different levels of trust.)

CVE-2019-13565: https://nvd.nist.gov/vuln/detail/CVE-2019-13565

An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL
authentication and session encryption, and relying on the SASL
security layers in slapd access controls, it is possible to obtain
access that would otherwise be denied via a simple bind for any
identity covered in those ACLs. After the first SASL bind is
completed, the sasl_ssf value is retained for all new non-SASL
connections. Depending on the ACL configuration, this can affect
different types of operations (searches, modifications, etc.). In
other words, a successful authorization step completed by one user
affects the authorization requirement for a different user.

Assignee
Assign to
Time tracking