Security update for openldap2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0976-1 Final 1 1 2020-07-17T16:29:26Z current 2020-07-17T16:29:26Z 2020-07-17T16:29:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openldap2 This update for openldap2 fixes the following issues: - CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698). - Changed DB_CONFIG to root:ldap permissions (bsc#1172704). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-976 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SY5CPNSTO2WSZ7XMVAJWQ743XLEQBEJE/ E-Mail link for openSUSE-SU-2020:0976-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1172698 SUSE Bug 1172698 https://bugzilla.suse.com/1172704 SUSE Bug 1172704 https://www.suse.com/security/cve/CVE-2020-8023/ SUSE CVE CVE-2020-8023 page openSUSE Leap 15.2 libldap-2_4-2-2.4.46-lp152.14.3.1 libldap-2_4-2-32bit-2.4.46-lp152.14.3.1 libldap-data-2.4.46-lp152.14.3.1 openldap2-2.4.46-lp152.14.3.1 openldap2-back-meta-2.4.46-lp152.14.3.1 openldap2-back-perl-2.4.46-lp152.14.3.1 openldap2-back-sock-2.4.46-lp152.14.3.1 openldap2-back-sql-2.4.46-lp152.14.3.1 openldap2-client-2.4.46-lp152.14.3.1 openldap2-contrib-2.4.46-lp152.14.3.1 openldap2-devel-2.4.46-lp152.14.3.1 openldap2-devel-32bit-2.4.46-lp152.14.3.1 openldap2-devel-static-2.4.46-lp152.14.3.1 openldap2-doc-2.4.46-lp152.14.3.1 openldap2-ppolicy-check-password-1.2-lp152.14.3.1 libldap-2_4-2-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 libldap-2_4-2-32bit-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 libldap-data-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 openldap2-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 openldap2-back-meta-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 openldap2-back-perl-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 openldap2-back-sock-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 openldap2-back-sql-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 openldap2-client-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 openldap2-contrib-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 openldap2-devel-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 openldap2-devel-32bit-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 openldap2-devel-static-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 openldap2-doc-2.4.46-lp152.14.3.1 as a component of openSUSE Leap 15.2 openldap2-ppolicy-check-password-1.2-lp152.14.3.1 as a component of openSUSE Leap 15.2 A acceptance of Extraneous Untrusted Data With Trusted Data vulnerability in the start script of openldap2 of SUSE Enterprise Storage 5, SUSE Linux Enterprise Debuginfo 11-SP3, SUSE Linux Enterprise Debuginfo 11-SP4, SUSE Linux Enterprise Point of Sale 11-SP3, SUSE Linux Enterprise Server 11-SECURITY, SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8; openSUSE Leap 15.1, openSUSE Leap 15.2 allows local attackers to escalate privileges from user ldap to root. This issue affects: SUSE Enterprise Storage 5 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Debuginfo 11-SP3 openldap2 versions prior to 2.4.26-0.74.13.1,. SUSE Linux Enterprise Debuginfo 11-SP4 openldap2 versions prior to 2.4.26-0.74.13.1,. SUSE Linux Enterprise Point of Sale 11-SP3 openldap2 versions prior to 2.4.26-0.74.13.1,. SUSE Linux Enterprise Server 11-SECURITY openldap2-client-openssl1 versions prior to 2.4.26-0.74.13.1. SUSE Linux Enterprise Server 11-SP4-LTSS openldap2 versions prior to 2.4.26-0.74.13.1,. SUSE Linux Enterprise Server 12-SP2-BCL openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP2-LTSS openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP3-BCL openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP3-LTSS openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP4 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 12-SP5 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server 15-LTSS openldap2 versions prior to 2.4.46-9.31.1. SUSE Linux Enterprise Server for SAP 12-SP2 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server for SAP 12-SP3 openldap2 versions prior to 2.4.41-18.71.2. SUSE Linux Enterprise Server for SAP 15 openldap2 versions prior to 2.4.46-9.31.1. SUSE OpenStack Cloud 7 openldap2 versions prior to 2.4.41-18.71.2. SUSE OpenStack Cloud 8 openldap2 versions prior to 2.4.41-18.71.2. SUSE OpenStack Cloud Crowbar 8 openldap2 versions prior to 2.4.41-18.71.2. openSUSE Leap 15.1 openldap2 versions prior to 2.4.46-lp151.10.12.1. openSUSE Leap 15.2 openldap2 versions prior to 2.4.46-lp152.14.3.1. CVE-2020-8023 openSUSE Leap 15.2:libldap-2_4-2-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:libldap-2_4-2-32bit-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:libldap-data-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:openldap2-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:openldap2-back-meta-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:openldap2-back-perl-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:openldap2-back-sock-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:openldap2-back-sql-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:openldap2-client-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:openldap2-contrib-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:openldap2-devel-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:openldap2-devel-32bit-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:openldap2-devel-static-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:openldap2-doc-2.4.46-lp152.14.3.1 openSUSE Leap 15.2:openldap2-ppolicy-check-password-1.2-lp152.14.3.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SY5CPNSTO2WSZ7XMVAJWQ743XLEQBEJE/ https://www.suse.com/security/cve/CVE-2020-8023.html CVE-2020-8023 https://bugzilla.suse.com/1172698 SUSE Bug 1172698 https://bugzilla.suse.com/1190347 SUSE Bug 1190347