RedHat Update for openldap RHSA-2010:0198-04

Solution
Please Install the Updated Packages.
Insight
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. A flaw was found in the way OpenLDAP handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick applications using OpenLDAP libraries into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack. (CVE-2009-3767) This update also fixes the following bugs: * the ldap init script did not provide a way to alter system limits for the slapd daemon. A variable is now available in &quot /etc/sysconfig/ldap&quot for this option. (BZ#527313) * applications that use the OpenLDAP libraries to contact a Microsoft Active Directory server could crash when a large number of network interfaces existed. This update implements locks in the OpenLDAP library code to resolve this issue. (BZ#510522) * when slapd was configured to allow client certificates, approximately 90% of connections froze because of a large CA certificate file and slapd not checking the success of the SSL handshake. (BZ#509230) * the OpenLDAP server would freeze for unknown reasons under high load. These packages add support for accepting incoming connections by new threads, resolving the issue. (BZ#507276) * the compat-openldap libraries did not list dependencies on other libraries, causing programs that did not specifically specify the libraries to fail. Detection of the Application Binary Interface (ABI) in use on 64-bit systems has been added with this update. (BZ#503734) * the OpenLDAP libraries caused applications to crash due to an unprocessed network timeout. A timeval of -1 is now passed when NULL is passed to LDAP. (BZ#495701) * slapd could crash on a server under heavy load when using rwm overlay, caused by freeing non-allocated memory during operation cleanup. (BZ#495628) * the ldap init script made a temporary script in &quot /tmp/&quot and attempted to execute it. Problems arose when &quot /tmp/&quot was mounted with the noexec option. The temporary script is no longer created. (BZ#483356) * the ldap init script always started slapd listening on ldap:/// even if instructed to listen only on ldaps:///. By correcting the init script, a user can now select which ports slapd should listen on. (BZ#481003) * the slapd manual page did not mention the supported options -V and -o. (BZ#468206) * slapd.conf had a commented-out op ... Description truncated, for more information please check the Reference URL
Affected
openldap on Red Hat Enterprise Linux (v. 5 server)
References