CVE-2011-1025

NameCVE-2011-1025
Descriptionbind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require authentication for the root Distinguished Name (DN), which allows remote attackers to bypass intended access restrictions via an arbitrary password.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs617606

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openldap (PTS)jessie2.4.40+dfsg-1+deb8u4fixed
jessie (security)2.4.40+dfsg-1+deb8u3fixed
stretch2.4.44+dfsg-5+deb9u2fixed
buster, sid2.4.46+dfsg-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openldapsource(unstable)2.4.25-1unimportant617606
openldapsourcesqueeze2.4.23-7.1medium

Notes

NBD backend disabled in Debian builds

Search for package or bug name: Reporting problems