An updated bind-dyndb-ldap package that fixes one security issue is now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The dynamic LDAP back end is a plug-in for BIND that provides back-end capabilities to LDAP databases. It features support for dynamic updates and internal caching that help to reduce the load on LDAP servers.
- A flaw was found in the way bind-dyndb-ldap handled LDAP query errors. If a remote attacker were able to send DNS queries to a named server that is configured to use bind-dyndb-ldap, they could trigger such an error with a DNS query leveraging bind-dyndb-ldap's insufficient escaping of the LDAP base DN (distinguished name). This would result in an invalid LDAP query that named would retry in a loop, preventing it from responding to other DNS queries. With this update, bind-dyndb-ldap only attempts to retry one time when an LDAP search returns an unexpected error.
Red Hat would like to thank Ronald van Zantvoort for reporting this issue.
All bind-dyndb-ldap users should upgrade to this updated package, which contains a backported patch to correct this issue. For the update to take effect, the named service must be restarted.
An updated bind-dyndb-ldap package that fixes several bugs is now available for Red Hat Enterprise Linux 6.
The dynamic LDAP (Lightweight Directory Access Protocol) back end is a plug-in for BIND that provides an LDAP database back-end capabilities. It features support for dynamic updates and internal caching to lift the load off of the LDAP server.
- Previously, the bind-dyndb-ldap plug-in could faile to honor the selected authentication method because it did not call the ldap_bind() function on reconnection. Consequently, the plug-in connected to the LDAP server anonymously. With this update, the ldap_bind() function is executed on reconnection and the plug-in uses the correct authentication method in the described scenario.
- The bind-dyndb-ldap plug-in failed to load new zones from the LDAP server runtime. This update adds the zone_refresh parameter to the plug-in which controls how often the zone check is performed.
- The bind-dyndb-ldap plug-in could fail to connect to the LDAP server. This happened when the LDAP server was using localhost and FreeIPA installation was using a name different from the machine hostname. This update adds to the plug-in the ldap_hostname option, which can be used to set the correct LDAP server hostname.
- The "named" process could have remained unresponsive due to a race condition in the bind-dyndb-ldap plug-in. With this update, the race condition has been resolved and the problem no longer occurs.
All users of bind-dyndb-ldap are advised to upgrade to this updated package, which fixes these bugs.