ALAS-2014-294


Amazon Linux AMI Security Advisory: ALAS-2014-294
Advisory Release Date: 2014-09-16 22:33 Pacific
Severity: Medium
References: CVE-2013-4449 

Issue Overview:

The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search.


Affected Packages:

openldap


Issue Correction:
Run yum update openldap to update your system.

New Packages:
i686:
    openldap-servers-sql-2.4.23-34.23.amzn1.i686
    openldap-devel-2.4.23-34.23.amzn1.i686
    openldap-debuginfo-2.4.23-34.23.amzn1.i686
    openldap-2.4.23-34.23.amzn1.i686
    openldap-servers-2.4.23-34.23.amzn1.i686
    openldap-clients-2.4.23-34.23.amzn1.i686

src:
    openldap-2.4.23-34.23.amzn1.src

x86_64:
    openldap-servers-2.4.23-34.23.amzn1.x86_64
    openldap-clients-2.4.23-34.23.amzn1.x86_64
    openldap-devel-2.4.23-34.23.amzn1.x86_64
    openldap-debuginfo-2.4.23-34.23.amzn1.x86_64
    openldap-2.4.23-34.23.amzn1.x86_64
    openldap-servers-sql-2.4.23-34.23.amzn1.x86_64