CVE-2017-9287

NameCVE-2017-9287
Descriptionservers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-972-1, DSA-3868-1
NVD severitymedium (attack range: remote)
Debian Bugs863563

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openldap (PTS)wheezy2.4.31-2+deb7u2vulnerable
wheezy (security)2.4.31-2+deb7u3fixed
jessie (security), jessie2.4.40+dfsg-1+deb8u3fixed
stretch2.4.44+dfsg-5+deb9u1fixed
buster, sid2.4.45+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openldapsource(unstable)2.4.44+dfsg-5medium863563
openldapsourcejessie2.4.40+dfsg-1+deb8u3mediumDSA-3868-1
openldapsourcewheezy2.4.31-2+deb7u3mediumDLA-972-1

Notes

http://www.openldap.org/its/?findid=8655
https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e

Search for package or bug name: Reporting problems