Security Advisory Moderate: libldb security update

Advisory: RHSA-2016:0014-1
Type: Security Advisory
Severity: Moderate
Issued on: 2016-01-08
Last updated on: 2016-01-08
Affected Products: Red Hat Gluster Storage Server 3 on RHEL-6
Red Hat Gluster Storage Server 3 on RHEL-7
CVEs ( CVE-2015-3223


Updated libldb packages that fix two security issues are now available for
Red Hat Gluster Storage 3.1.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

The libldb packages provide an extensible library that implements an
LDAP-like API to access remote LDAP servers, or use local TDB databases.

A denial of service flaw was found in the ldb_wildcard_compare() function
of libldb. A remote attacker could send a specially crafted packet that,
when processed by an application using libldb (for example the AD LDAP
server in Samba), would cause that application to consume an excessive
amount of memory and crash. (CVE-2015-3223)

A memory-read flaw was found in the way the libldb library processed LDB DN
records with a null byte. An authenticated, remote attacker could use this
flaw to read heap-memory pages from the server. (CVE-2015-5330)

Red Hat would like to thank the Samba project for reporting these issues.
Upstream acknowledges Thilo Uttendorfer as the original reporter of
CVE-2015-3223, and Douglas Bagnall as the original reporter of

All libldb users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.


Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

Updated packages

Red Hat Gluster Storage Server 3 on RHEL-6

File outdated by:  RHBA-2016:0673
    MD5: 97a0a8050676112a420c842bbf780773
SHA-256: fd6cd49fc89a6bfb1a67959f9c83f47fd4eb1d51d46e43fd34938257ffab91c0
File outdated by:  RHBA-2016:0673
    MD5: a8ce5ea5eb8f21339f57e4df722b6f9b
SHA-256: c3eabcfcdabad80264481871499372d1058e0728632a89ebf94b6f3c8228604f
File outdated by:  RHBA-2016:0673
    MD5: d9081a4bab7fd46460af42cdd2a5d032
SHA-256: 17778f8781528d592e62080dd35d01ae5d64a7cbf24ba2878148cf3df846c664
File outdated by:  RHBA-2016:0673
    MD5: db75e8b862bd22b3cfa95d3ec3cc90a9
SHA-256: 843dc3ee4c07d75d89d7466ea41319cb34c1fd2efe2c81c44d927ae4d14ba008
File outdated by:  RHBA-2016:0673
    MD5: 8788910d6fb94b940774bedb0eac53b2
SHA-256: 5e5ba2aa4c8256df3b4417ea651c16e5736faa0b42beacca56b4740b47c42ea5
File outdated by:  RHBA-2016:0673
    MD5: 5d64a005f5c160109a075c4a0aa8a588
SHA-256: 54cef1a558cb4a7b5d80d5a8c3633d8f855b236d7d1c02b4b837f2ef2f03b0f1
Red Hat Gluster Storage Server 3 on RHEL-7

File outdated by:  RHBA-2016:0674
    MD5: 6ac66a752c047fd23d63f1c41cf1bdf5
SHA-256: 4c421b4a638844819614dbb8fab951aa1e3205728a0ceb627a14b25ef93292bc
File outdated by:  RHBA-2016:0674
    MD5: 3b5e49557a54748f857c4fdf99068704
SHA-256: 609dfdfffeebc2d08cc69bdb1be522212864ad41cf1aab4a156a823e2db3a252
File outdated by:  RHBA-2016:0674
    MD5: 8d358b2d0853dd35a6c7ed7471f3a6b0
SHA-256: 3fe97806c7f7e61e7dba01b6b1d01a5719f3005e5b201cf1942212990d8b15ed
File outdated by:  RHBA-2016:0674
    MD5: 1326e70947f46d7222543a801fd8d647
SHA-256: 45c788b1d86f0e8a5017f143ee3ac92e2551ef6fefe2e3c1f539d464c74e043a
File outdated by:  RHBA-2016:0674
    MD5: d123871c82d9f2abca8d2f1b06f81c9e
SHA-256: 7af88feb3babe270b40cfffe5e679250ef6e3c4c5a315bae290863091e87e740
File outdated by:  RHBA-2016:0674
    MD5: 074490a8e0534d80d3e11947f38a59ff
SHA-256: 90f2525fafb0fd25a6cf5c5e8f8082e6670e3048a29726513c3acd1d0a3d6eb2
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1281326 - CVE-2015-5330 samba, libldb: remote memory read in the Samba LDAP server
1290287 - CVE-2015-3223 libldb: Remote DoS in Samba (AD) LDAP server


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at