Re: OpenLDAP 2.3.35 available

[Howard Chu <hyc@symas.com>]

OpenLDAP Project wrote:
> OpenLDAP 2.3.35 is now available for download as detailed
> on our download page:
>    http://www.openldap.org/software/download/
>
> and should soon be available on all official mirrors:
>    ftp://ftp.openldap.org/pub/OpenLDAP/MIRRORS
>
> This is a maintenance release and is made available for
> general use.  Users of OpenLDAP Software are encouraged
> to upgrade.
>
> Significant contributors to this release include:
>    Quanah Gibson-Mount (Stanford)
>    Pierangelo Masarati (SysNet)
>    Howard Chu (Symas)
>
> -- The OpenLDAP Project
>
>
> OpenLDAP 2.3.35 Release (2007/04/09)
>      Fixed ldapmodify to use correct memory free functions (ITS#4901)
>      Fixed slapd acl set minor typo (ITS#4874)
>      Fixed slapd entry consistency check in str2entry2 (ITS#4852)
>      Fixed slapd ldapi:// credential issue (ITS#4893)

ITS#4893 addresses security implications on HPUX. If you're using 
ldapi:// on HPUX 11 it is possible for regular users to bind to the 
directory with the credentials of Unix root. Similar exploits may be 
possible on AIX 5.1 and older, and Solaris 2.9 and older. This release 
disables the insecure credential passing mechanism on these OS versions; 
if you were relying on SASL/EXTERNAL authentication with ldapi:// on the 
affected platforms that mechanism will no longer work after you install 
this release.

We may re-enable these mechanisms in a later update, depending on user 
demand. In the meantime, if you're using ldapi:// on these platforms, 
you need to stop or upgrade to this release ASAP. Workarounds are still 
being tested and will be made available as they become ready.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/