In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash). Reference: https://bugs.openldap.org/show_bug.cgi?id=9202 Upstream commits: https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_4/CHANGES https://git.openldap.org/openldap/openldap/-/commit/98464c11df8247d6a11b52e294ba5dd4f0380440
Created openldap tracking bugs for this issue: Affects: fedora-all [bug 1833536]
This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Enterprise Web Server 2 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4041 https://access.redhat.com/errata/RHSA-2020:4041
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12243
Hello, while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE-2020-12243. The CVE page https://access.redhat.com/security/cve/cve-2020-12243 lists RHEL 8 as Not affected. Could a Statement be added to that CVE page that RHEL 8 is not affected because it does not ship slapd, similar to https://access.redhat.com/security/cve/cve-2020-36221? Thank you, Jan
In reply to comment #9: > Could a Statement be added to that CVE page that RHEL 8 is not affected added statement