CVE-2015-6908
openldap - security update
EPSS 70.5%
Description
The ber_get_next function in libraries/liblber/io.c in OpenLDAP 2.4.42 and earlier allows remote attackers to cause a denial of service (reachable assertion and application crash) via crafted BER data, as demonstrated by an attack against slapd.
How to fix CVE-2015-6908
To remediate CVE-2015-6908, upgrade the affected package to a fixed version below.
- Debian/openldap—upgrade to 2.4.42+dfsg-2 or later
- Debian/openldap—upgrade to 2.4.23-7.3+deb6u2 or later
- Debian/openldap—upgrade to 2.4.31-2+deb7u1 or later
Is CVE-2015-6908 being exploited?
Likely — EPSS is 70.5%, placing CVE-2015-6908 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (3)
- from 0, < 2.4.42+dfsg-2
- from 0, < 2.4.23-7.3+deb6u2
- from 0, < 2.4.31-2+deb7u1