Netscape Directory Server security update

Advisory:	RHSA-2005:030-02
Type:	Security Advisory
Severity:	Critical
Issued on:	2005-01-11
Last updated on:	2005-01-11
Affected Products:
OVAL:	N/A
CVEs (cve.mitre.org):	CVE-2004-1236

Details

Patches for Netscape Directory Server that fix a remotely exploitable
security issue are now available.

In December 2004 Red Hat aquired the Netscape Directory Server product from
America Online, Inc.

A stack buffer overflow was found in the access control code in Netscape
Directory Server 6.21 and earlier. A remote attacker who can communicate
with the LDAP service could trigger this flaw by creating a carefully
crafted attribute change request. A sucessful exploit would lead to a
denial of service (crash) or potentially to remote code execution on the
server.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-1236 to this issue.

Solution

Patches in the form of updated libraries that correct this issue are
available on request from the Red Hat Security Response Team, please contact
secalert@redhat.com

Updated packages

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1236
http://www.kb.cert.org/vuls/id/258905
http://www.redhat.com/about/presscenter/2004/press_neighbor.html
http://marc.theaimsgroup.com/?l=bugtraq&m=110384298016120

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/