CVE-2019-13565

Priority
Description
An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL
authentication and session encryption, and relying on the SASL security
layers in slapd access controls, it is possible to obtain access that would
otherwise be denied via a simple bind for any identity covered in those
ACLs. After the first SASL bind is completed, the sasl_ssf value is
retained for all new non-SASL connections. Depending on the ACL
configuration, this can affect different types of operations (searches,
modifications, etc.). In other words, a successful authorization step
completed by one user affects the authorization requirement for a different
user.
Assigned-to
mdeslaur
Package
Upstream:released (2.4.48+dfsg-1)
Ubuntu 12.04 ESM (Precise Pangolin):released (2.4.28-1.1ubuntu4.9)
Ubuntu 14.04 ESM (Trusty Tahr):released (2.4.31-1+nmu2ubuntu8.5+esm1)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.4.42+dfsg-2ubuntu3.6)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.4.45+dfsg-1ubuntu1.3)
Ubuntu 19.04 (Disco Dingo):released (2.4.47+dfsg-3ubuntu2.1)
Ubuntu 19.10 (Eoan):released (2.4.47+dfsg-3ubuntu3)
Patches:
Upstream:http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=744a46a1acb93798f4e027290191d6a11dd4c18c
More Information

Updated: 2019-08-19 14:14:24 UTC (commit e8b223ee423be5488081a1ad137e3ecd6b39b0ff)