[3.7] openldap: Multiple vulnerabilities (CVE-2017-14159, CVE-2017-17740)
CVE-2017-14159: slapd in OpenLDAP 2.4.45 and earlier creates a PID
file after dropping privileges to a non-root account,
which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification
before a root script executes a “kill `cat /pathname`” command, as demonstrated by openldap-initscript.
CVE-2017-17740: contrib/slapd-modules/nops/nops.c in OpenLDAP
through 2.4.45, when both the nops module and the
memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers
to cause a denial of service (slapd crash) via a member MODDN operation.
(from redmine: issue id 8786, created on 2018-04-10)
- copied_to #8784
- parent #8784
- Revision 2139b18f by Jakub Jirutka on 2018-05-20T21:05:54Z:
main/sqlite: fix CVE-2018-8740 Ref #8786 (https://bugs.alpinelinux.org/issues/8786)