CVE-2023-2953

Name	CVE-2023-2953
Description	A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1036995

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
openldap (PTS)	jessie, jessie (lts)	2.4.40+dfsg-1+deb8u11	vulnerable
	stretch (security), stretch (lts), stretch	2.4.44+dfsg-5+deb9u9	vulnerable
	buster (security), buster, buster (lts)	2.4.47+dfsg-3+deb10u7	vulnerable
	bullseye (security), bullseye	2.4.57+dfsg-3+deb11u1	vulnerable
	bookworm	2.5.13+dfsg-5	vulnerable
	sid, trixie	2.5.18+dfsg-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
openldap	source	experimental	2.6.4+dfsg-1~exp1
openldap	source	(unstable)	2.5.16+dfsg-1			1036995

Notes

[bookworm] - openldap <no-dsa> (Minor issue)
[bullseye] - openldap <no-dsa> (Minor issue)
[buster] - openldap <no-dsa> (Minor issue)
https://bugs.openldap.org/show_bug.cgi?id=9904
https://git.openldap.org/openldap/openldap/-/commit/ea8dd2d279c5aeaf9d4672a4e95bebd99babcce1 (master)
https://git.openldap.org/openldap/openldap/-/commit/3f2abd0b2eeec8522e50d5c4ea4992e70e8f9915 (master)
https://git.openldap.org/openldap/openldap/-/commit/c5c8c06a8bd52ea7b843e7d8ca961a7d1800ce5f (OPENLDAP_REL_ENG_2_6_4)
https://git.openldap.org/openldap/openldap/-/commit/840944e26f734bb03d925f26c4ef11a6cedcbb9c (OPENLDAP_REL_ENG_2_6_4)
https://git.openldap.org/openldap/openldap/-/commit/752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce (OPENLDAP_REL_ENG_2_5_14)
https://git.openldap.org/openldap/openldap/-/commit/6563fab9e2feccb0a684d0398e78571d09fb808b (OPENLDAP_REL_ENG_2_5_14)
[stretch] - openldap <no-dsa> (Minor issue)
[jessie] - openldap <no-dsa> (Minor issue)