CVE-2009-3767

Name of the Vulnerable Software and Affected Versions openldap versions 2.1.30 through 2.2.13 openldap versions prior to 2.4.35 openldap-devel versions 2.2.13 openldap-clients versions 2.2.13 openldap-servers versions 2.2.13 openldap-servers-sql versions 2.2.13 compat-openldap versions 2.1.30

Description The issue is related to multiple vulnerabilities in the OpenLDAP package, which can lead to disruption of protected information availability. These vulnerabilities can be exploited remotely. The problem lies in the handling of a '0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, allowing man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

Recommendations For openldap versions 2.1.30 through 2.2.13, update to a version prior to 2.4.35 or later. For openldap-devel versions 2.2.13, update to a version prior to 2.4.35 or later. For openldap-clients versions 2.2.13, update to a version prior to 2.4.35 or later. For openldap-servers versions 2.2.13, update to a version prior to 2.4.35 or later. For openldap-servers-sql versions 2.2.13, update to a version prior to 2.4.35 or later. For compat-openldap versions 2.1.30, update to a version prior to 2.4.35 or later. As a temporary workaround, consider restricting access to the vulnerable OpenLDAP package until a patch is available.