Red Hat Customer Portal

Skip to main content

Security Advisory Moderate: openldap security, bug fix, and enhancement update

Advisory: RHSA-2015:2131-2
Type: Security Advisory
Severity: Moderate
Issued on: 2015-11-19
Last updated on: 2015-11-19
Affected Products: Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux HPC Node (v. 7)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2014-8182
CVE-2015-3276

Details

Updated openldap packages that fix one security issue, several bugs, and
add one enhancement are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

OpenLDAP is an open-source suite of Lightweight Directory Access Protocol
(LDAP) applications and development tools. LDAP is a set of protocols used
to access and maintain distributed directory information services over an
IP network. The openldap packages contain configuration files, libraries,
and documentation for OpenLDAP.

A flaw was found in the way OpenLDAP parsed OpenSSL-style cipher strings.
As a result, OpenLDAP could potentially use ciphers that were not intended
to be enabled. (CVE-2015-3276)

This issue was discovered by Martin Poole of the Red Hat Software
Maintenance Engineering group.

The openldap packages have been upgraded to upstream version 2.4.40, which
provides a number of bug fixes and one enhancement over the previous
version:

* The ORDERING matching rules have been added to the ppolicy attribute type
descriptions.
* The server no longer terminates unexpectedly when processing SRV records.
* Missing objectClass information has been added, which enables the user to
modify the front-end configuration by standard means.

(BZ#1147982)

This update also fixes the following bugs:

* Previously, OpenLDAP did not properly handle a number of simultaneous
updates. As a consequence, sending a number of parallel update requests to
the server could cause a deadlock. With this update, a superfluous locking
mechanism causing the deadlock has been removed, thus fixing the bug.
(BZ#1125152)

* The httpd service sometimes terminated unexpectedly with a segmentation
fault on the libldap library unload. The underlying source code has been
modified to prevent a bad memory access error that caused the bug to occur.
As a result, httpd no longer crashes in this situation. (BZ#1158005)

* After upgrading the system from Red Hat Enterprise Linux 6 to Red Hat
Enterprise Linux 7, symbolic links to certain libraries unexpectedly
pointed to locations belonging to the openldap-devel package. If the user
uninstalled openldap-devel, the symbolic links were broken and the "rpm -V
openldap" command sometimes produced errors. With this update, the symbolic
links no longer get broken in the described situation. If the user
downgrades openldap to version 2.4.39-6 or earlier, the symbolic links
might break. After such downgrade, it is recommended to verify that the
symbolic links did not break. To do this, make sure the yum-plugin-verify
package is installed and obtain the target libraries by running the "rpm -V
openldap" or "yum verify openldap" command. (BZ#1230263)

In addition, this update adds the following enhancement:

* OpenLDAP clients now automatically choose the Network Security Services
(NSS) default cipher suites for communication with the server. It is no
longer necessary to maintain the default cipher suites manually in the
OpenLDAP source code. (BZ#1245279)

All openldap users are advised to upgrade to these updated packages, which
correct these issues and add this enhancement.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
openldap-2.4.40-8.el7.src.rpm
File outdated by:  RHBA-2016:2163
    MD5: 1497a3386575932562e2c2b4cfe65287
SHA-256: 40735eafb0734a873cf07e7ba8ae2ec06e122b84e5415133113259cac6084306
 
x86_64:
openldap-2.4.40-8.el7.i686.rpm
File outdated by:  RHBA-2016:2163
    MD5: cb35c0018e05cfe6619e3a53494b362e
SHA-256: 7c7696a1baea8dab1672d0b52e9fd4eb4c4a35f7ce91bf21188074c12bcd1733
openldap-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 0669f65f0b7e40cdcce346fc1548fece
SHA-256: b53b3bfb76eb9aeb70877aaa08475f3b375b6cfa73a847260ad18aab66e94511
openldap-clients-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 24848b84386cb15208e7e58dd8ae9bb3
SHA-256: 134b04364968a0e3f6b25a7c344196f1c35f9463a45d50e5cf3dc5c2c8e8a32e
openldap-debuginfo-2.4.40-8.el7.i686.rpm
File outdated by:  RHBA-2016:2163
    MD5: e0e67cfdd337fae80c1e8df88621dcba
SHA-256: c762b732a0a8e9251ab85e7224259899904b46779e9819eea8e45b9a2fd87188
openldap-debuginfo-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: fea56273279306b2be61fcc16fdbcae8
SHA-256: b7116f31813c61426eb10dd3197b32fc3354a4abff27922804d0872fe9e238f2
openldap-devel-2.4.40-8.el7.i686.rpm
File outdated by:  RHBA-2016:2163
    MD5: ddf3fee70404ab8ba36b78a539ed0586
SHA-256: 90159614641c28e9a3c2b9a6fd88638376f034bdfc0d450f9b5e3ad8bde9b2d3
openldap-devel-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 4b1c0588dcf6eb00910287543a767fd4
SHA-256: cb49655e41f729a9586ca6773154e388b1681420e643e5627acee8aaf7a2d37d
openldap-servers-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 1046c7e9b78486336da010f320c80dfd
SHA-256: 090309ed4fca49fa76e129d9001f3a372a28b5cc6fa64a595652bd4c572d8749
openldap-servers-sql-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 3fad58cc7399670a8d6e1ee547fc932b
SHA-256: c227df1705f02a2cc7e72ed9bf468b0efef455ba205e8b725cf2bb4b80241ba1
 
Red Hat Enterprise Linux HPC Node (v. 7)

SRPMS:
openldap-2.4.40-8.el7.src.rpm
File outdated by:  RHBA-2016:2163
    MD5: 1497a3386575932562e2c2b4cfe65287
SHA-256: 40735eafb0734a873cf07e7ba8ae2ec06e122b84e5415133113259cac6084306
 
x86_64:
openldap-2.4.40-8.el7.i686.rpm
File outdated by:  RHBA-2016:2163
    MD5: cb35c0018e05cfe6619e3a53494b362e
SHA-256: 7c7696a1baea8dab1672d0b52e9fd4eb4c4a35f7ce91bf21188074c12bcd1733
openldap-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 0669f65f0b7e40cdcce346fc1548fece
SHA-256: b53b3bfb76eb9aeb70877aaa08475f3b375b6cfa73a847260ad18aab66e94511
openldap-clients-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 24848b84386cb15208e7e58dd8ae9bb3
SHA-256: 134b04364968a0e3f6b25a7c344196f1c35f9463a45d50e5cf3dc5c2c8e8a32e
openldap-debuginfo-2.4.40-8.el7.i686.rpm
File outdated by:  RHBA-2016:2163
    MD5: e0e67cfdd337fae80c1e8df88621dcba
SHA-256: c762b732a0a8e9251ab85e7224259899904b46779e9819eea8e45b9a2fd87188
openldap-debuginfo-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: fea56273279306b2be61fcc16fdbcae8
SHA-256: b7116f31813c61426eb10dd3197b32fc3354a4abff27922804d0872fe9e238f2
openldap-devel-2.4.40-8.el7.i686.rpm
File outdated by:  RHBA-2016:2163
    MD5: ddf3fee70404ab8ba36b78a539ed0586
SHA-256: 90159614641c28e9a3c2b9a6fd88638376f034bdfc0d450f9b5e3ad8bde9b2d3
openldap-devel-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 4b1c0588dcf6eb00910287543a767fd4
SHA-256: cb49655e41f729a9586ca6773154e388b1681420e643e5627acee8aaf7a2d37d
openldap-servers-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 1046c7e9b78486336da010f320c80dfd
SHA-256: 090309ed4fca49fa76e129d9001f3a372a28b5cc6fa64a595652bd4c572d8749
openldap-servers-sql-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 3fad58cc7399670a8d6e1ee547fc932b
SHA-256: c227df1705f02a2cc7e72ed9bf468b0efef455ba205e8b725cf2bb4b80241ba1
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
openldap-2.4.40-8.el7.src.rpm
File outdated by:  RHBA-2016:2163
    MD5: 1497a3386575932562e2c2b4cfe65287
SHA-256: 40735eafb0734a873cf07e7ba8ae2ec06e122b84e5415133113259cac6084306
 
PPC:
openldap-2.4.40-8.el7.ppc.rpm
File outdated by:  RHBA-2016:2163
    MD5: 8bb854fddd32d56f4f8a64c7b3ddb4a5
SHA-256: 03e9a7abdec343d394b39cd4f1cd9b51a53e0342410a0ce11b250f1527c2191e
openldap-2.4.40-8.el7.ppc64.rpm
File outdated by:  RHBA-2016:2163
    MD5: e9b59161ee32d284c386835d6991e0f8
SHA-256: e3dcbad2f2c41573cfe6ee9508a1859a7ea50541672709c9b1a303d5ac50ca5d
openldap-clients-2.4.40-8.el7.ppc64.rpm
File outdated by:  RHBA-2016:2163
    MD5: c1f0b16380783313798dc56cae2751e8
SHA-256: bfceae688577a1cd68d5dcbb8badeecca6955582c14258fd6986b65537e182da
openldap-debuginfo-2.4.40-8.el7.ppc.rpm
File outdated by:  RHBA-2016:2163
    MD5: 16c8f1d904f20ffafcf703a8c473549a
SHA-256: 3419963e8fbf5fd1c7f6282acca880ffcc0ab526da65e9dda6f14fcd41d7bcf3
openldap-debuginfo-2.4.40-8.el7.ppc64.rpm
File outdated by:  RHBA-2016:2163
    MD5: b306b509951fc3b2bbade2d9d2b5cbf9
SHA-256: b6d07be67fd70b0d92d45ba97d0ab8109f0304fb244477a59e5fcd18762a4b04
openldap-devel-2.4.40-8.el7.ppc.rpm
File outdated by:  RHBA-2016:2163
    MD5: 097a4ab1d9a5919b64f2aa62f7b4d591
SHA-256: 5946d476ace9263f382c1c5b034b84d6ee848cdb7ca61d6f5f3d5dd153ae857a
openldap-devel-2.4.40-8.el7.ppc64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 9480f6af6555103c521bf2581410fde5
SHA-256: c80854dfcb62c575d19f8a4a88dedc006dce48f012a4a1d1327c184519da3fba
openldap-servers-2.4.40-8.el7.ppc64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 947f612296177e70cbcc73e6a48faeb8
SHA-256: 155b9400a33627547cbab29c2d558e54776980ed979779afc2045ecc06ae930e
openldap-servers-sql-2.4.40-8.el7.ppc64.rpm
File outdated by:  RHBA-2016:2163
    MD5: f86c8319aadee15ab8acfd28154ca5cf
SHA-256: 4bacc5cd9c76e58df86e194a0c8d1594a34371802588099c195ee8266bd553a9
 
s390x:
openldap-2.4.40-8.el7.s390.rpm
File outdated by:  RHBA-2016:2163
    MD5: 2cf61a24749fe9114204fb21d8448c61
SHA-256: 2a90ae18b9cdee97ea3b1c435cd55db425ede89c7303c0b91abbabad9e9f0173
openldap-2.4.40-8.el7.s390x.rpm
File outdated by:  RHBA-2016:2163
    MD5: c7b1bee8c1113059b1ee226755c2a856
SHA-256: e49f35738c7760923ed558ba13c0f6f894b390a590e472006cd7279ebf3a4dbc
openldap-clients-2.4.40-8.el7.s390x.rpm
File outdated by:  RHBA-2016:2163
    MD5: ea783ee30cf4f1f4c7579026466de7bd
SHA-256: 4a93c60550c3ab07c207aa7a5243949dd4821ff3ea9fc7d3be97ba3417cf2934
openldap-debuginfo-2.4.40-8.el7.s390.rpm
File outdated by:  RHBA-2016:2163
    MD5: 8671a74c81ee3b135de92ad5e2da2cfc
SHA-256: 06bb53d48d02d3bb73cbc1c3f1b273ecef7b32eba52ecb06be1c131b757c4799
openldap-debuginfo-2.4.40-8.el7.s390x.rpm
File outdated by:  RHBA-2016:2163
    MD5: e191c890f716d62c86d028ce658b597a
SHA-256: 3e81c68983933473bc28f767d8796b7e5fe8733d006943b72eb4b820bf1d8426
openldap-devel-2.4.40-8.el7.s390.rpm
File outdated by:  RHBA-2016:2163
    MD5: 7c2b23a12166d01a9a2e29c1b40f3e2d
SHA-256: e963595848cdfc35dc369ebd0b20e9ffe5720719a0ef1d20f793b2ad64f0db18
openldap-devel-2.4.40-8.el7.s390x.rpm
File outdated by:  RHBA-2016:2163
    MD5: 7da1661212fd59ef60df6555fa81190a
SHA-256: 1716c62f148d8ea760c0e079e40ff1ea12b3b07013e4e2455f0b06b063164448
openldap-servers-2.4.40-8.el7.s390x.rpm
File outdated by:  RHBA-2016:2163
    MD5: 5f1847cfa17b71b20b8b0865e69d009f
SHA-256: e96ad4d1cbe6b072b9d717e5cd7250700dc4d1db05672940e4c0e0b30817de91
openldap-servers-sql-2.4.40-8.el7.s390x.rpm
File outdated by:  RHBA-2016:2163
    MD5: b52bee87fb5306c5278b829c5f58c90b
SHA-256: c4a0789da0408eed6508a20a7a199ac48483298b32afeb86760481478f8e62d7
 
x86_64:
openldap-2.4.40-8.el7.i686.rpm
File outdated by:  RHBA-2016:2163
    MD5: cb35c0018e05cfe6619e3a53494b362e
SHA-256: 7c7696a1baea8dab1672d0b52e9fd4eb4c4a35f7ce91bf21188074c12bcd1733
openldap-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 0669f65f0b7e40cdcce346fc1548fece
SHA-256: b53b3bfb76eb9aeb70877aaa08475f3b375b6cfa73a847260ad18aab66e94511
openldap-clients-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 24848b84386cb15208e7e58dd8ae9bb3
SHA-256: 134b04364968a0e3f6b25a7c344196f1c35f9463a45d50e5cf3dc5c2c8e8a32e
openldap-debuginfo-2.4.40-8.el7.i686.rpm
File outdated by:  RHBA-2016:2163
    MD5: e0e67cfdd337fae80c1e8df88621dcba
SHA-256: c762b732a0a8e9251ab85e7224259899904b46779e9819eea8e45b9a2fd87188
openldap-debuginfo-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: fea56273279306b2be61fcc16fdbcae8
SHA-256: b7116f31813c61426eb10dd3197b32fc3354a4abff27922804d0872fe9e238f2
openldap-devel-2.4.40-8.el7.i686.rpm
File outdated by:  RHBA-2016:2163
    MD5: ddf3fee70404ab8ba36b78a539ed0586
SHA-256: 90159614641c28e9a3c2b9a6fd88638376f034bdfc0d450f9b5e3ad8bde9b2d3
openldap-devel-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 4b1c0588dcf6eb00910287543a767fd4
SHA-256: cb49655e41f729a9586ca6773154e388b1681420e643e5627acee8aaf7a2d37d
openldap-servers-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 1046c7e9b78486336da010f320c80dfd
SHA-256: 090309ed4fca49fa76e129d9001f3a372a28b5cc6fa64a595652bd4c572d8749
openldap-servers-sql-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 3fad58cc7399670a8d6e1ee547fc932b
SHA-256: c227df1705f02a2cc7e72ed9bf468b0efef455ba205e8b725cf2bb4b80241ba1
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
openldap-2.4.40-8.el7.src.rpm
File outdated by:  RHBA-2016:2163
    MD5: 1497a3386575932562e2c2b4cfe65287
SHA-256: 40735eafb0734a873cf07e7ba8ae2ec06e122b84e5415133113259cac6084306
 
x86_64:
openldap-2.4.40-8.el7.i686.rpm
File outdated by:  RHBA-2016:2163
    MD5: cb35c0018e05cfe6619e3a53494b362e
SHA-256: 7c7696a1baea8dab1672d0b52e9fd4eb4c4a35f7ce91bf21188074c12bcd1733
openldap-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 0669f65f0b7e40cdcce346fc1548fece
SHA-256: b53b3bfb76eb9aeb70877aaa08475f3b375b6cfa73a847260ad18aab66e94511
openldap-clients-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 24848b84386cb15208e7e58dd8ae9bb3
SHA-256: 134b04364968a0e3f6b25a7c344196f1c35f9463a45d50e5cf3dc5c2c8e8a32e
openldap-debuginfo-2.4.40-8.el7.i686.rpm
File outdated by:  RHBA-2016:2163
    MD5: e0e67cfdd337fae80c1e8df88621dcba
SHA-256: c762b732a0a8e9251ab85e7224259899904b46779e9819eea8e45b9a2fd87188
openldap-debuginfo-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: fea56273279306b2be61fcc16fdbcae8
SHA-256: b7116f31813c61426eb10dd3197b32fc3354a4abff27922804d0872fe9e238f2
openldap-devel-2.4.40-8.el7.i686.rpm
File outdated by:  RHBA-2016:2163
    MD5: ddf3fee70404ab8ba36b78a539ed0586
SHA-256: 90159614641c28e9a3c2b9a6fd88638376f034bdfc0d450f9b5e3ad8bde9b2d3
openldap-devel-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 4b1c0588dcf6eb00910287543a767fd4
SHA-256: cb49655e41f729a9586ca6773154e388b1681420e643e5627acee8aaf7a2d37d
openldap-servers-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 1046c7e9b78486336da010f320c80dfd
SHA-256: 090309ed4fca49fa76e129d9001f3a372a28b5cc6fa64a595652bd4c572d8749
openldap-servers-sql-2.4.40-8.el7.x86_64.rpm
File outdated by:  RHBA-2016:2163
    MD5: 3fad58cc7399670a8d6e1ee547fc932b
SHA-256: c227df1705f02a2cc7e72ed9bf468b0efef455ba205e8b725cf2bb4b80241ba1
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1147982 - Rebase openldap to 2.4.40
1158005 - OpenLDAP crash in NSS shutdown handling
1174634 - pwdChecker library requires version in pwdCheckModule attribute
1174723 - values for pwdChecker are not set to default values
1175415 - openldap: crash in ldap_domain2hostlist when processing SRV records
1184585 - slaptest doesn't convert perlModuleConfig lines
1209229 - openldap-servers leverages 'find' from findutils which is not a dep of the rpm
1226600 - olcDatabase in olcFrontend attribute incorrect/faulty
1230263 - rpm -V openldap complains
1231228 - automount via ldap with TLS/SSL support is not working
1238322 - CVE-2015-3276 openldap: incorrect multi-keyword mode cipherstring parsing
1245279 - OpenLDAP doesn't use sane (or default) cipher order


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/