CVE-2017-9287

NameCVE-2017-9287
Descriptionservers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-972-1, DSA-3868-1
Debian Bugs863563

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openldap (PTS)jessie, jessie (lts)2.4.40+dfsg-1+deb8u11fixed
stretch (security), stretch (lts), stretch2.4.44+dfsg-5+deb9u9fixed
buster, buster (security)2.4.47+dfsg-3+deb10u7fixed
bullseye (security), bullseye2.4.57+dfsg-3+deb11u1fixed
trixie, bookworm2.5.13+dfsg-5fixed
sid2.5.16+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openldapsourcewheezy2.4.31-2+deb7u3DLA-972-1
openldapsourcejessie2.4.40+dfsg-1+deb8u3DSA-3868-1
openldapsource(unstable)2.4.44+dfsg-5863563

Notes

http://www.openldap.org/its/?findid=8655
https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e

Search for package or bug name: Reporting problems