Debian Security Advisory
DSA-4884-1 ldb -- security update
- Date Reported:
- 02 Apr 2021
- Affected Packages:
- ldb
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 985935, Bug 985936.
In Mitre's CVE dictionary: CVE-2020-10730, CVE-2020-27840, CVE-2021-20277. - More information:
-
Multiple vulnerabilities have been discovered in ldb, a LDAP-like embedded database built on top of TDB.
- CVE-2020-10730
Andrew Bartlett discovered a NULL pointer dereference and use-after-free flaw when handling
ASQ
andVLV
LDAP controls and combinations with the LDAP paged_results feature. - CVE-2020-27840
Douglas Bagnall discovered a heap corruption flaw via crafted DN strings.
- CVE-2021-20277
Douglas Bagnall discovered an out-of-bounds read vulnerability in handling LDAP attributes that contains multiple consecutive leading spaces.
For the stable distribution (buster), these problems have been fixed in version 2:1.5.1+really1.4.6-3+deb10u1.
We recommend that you upgrade your ldb packages.
For the detailed security status of ldb please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ldb
- CVE-2020-10730