Debian 10265 Published by

A ldb security update has been released for Debian GNU/Linux 10 to address multiple vulnerabilities.



DSA 4884-1: ldb security update



- -------------------------------------------------------------------------
Debian Security Advisory DSA-4884-1 security@debian.org
  https://www.debian.org/security/ Salvatore Bonaccorso
April 02, 2021   https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ldb
CVE ID : CVE-2020-10730 CVE-2020-27840 CVE-2021-20277
Debian Bug : 985935 985936

Multiple vulnerabilities have been discovered in ldb, a LDAP-like
embedded database built on top of TDB.

CVE-2020-10730

Andrew Bartlett discovered a NULL pointer dereference and
use-after-free flaw when handling 'ASQ' and 'VLV' LDAP controls and
combinations with the LDAP paged_results feature.

CVE-2020-27840

Douglas Bagnall discovered a heap corruption flaw via crafted
DN strings.

CVE-2021-20277

Douglas Bagnall discovered an out-of-bounds read vulnerability in
handling LDAP attributes that contains multiple consecutive
leading spaces.

For the stable distribution (buster), these problems have been fixed in
version 2:1.5.1+really1.4.6-3+deb10u1.

We recommend that you upgrade your ldb packages.

For the detailed security status of ldb please refer to its security
tracker page at:
  https://security-tracker.debian.org/tracker/ldb

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://www.debian.org/security/