The change sequence numbers in multi-master replication had a built-in skew to accommodate differences in the clocks on master servers. However, this skew could grow under some circumstances to the point that it falsely hit the maximum allowed skew (one day by default) and stopped replication entirely. Because the problem was in the timestamps of the CSNs for the masters, replication could not be easily restarted. The severity of the problem increased with the number of updates made to the Directory Server.

This has been fixed.

There were uninitialized variables in plug-ins for logging and access controls. These have been fixed.

A flaw in the way the Directory Server handled LDAP search requests using patterns could allow a remote attacker to cause the Directory Server to use large amounts of CPU time. Pattern searches were not restricted by normal directory search time limits. If the attacker had access to LDAP service, he could create a search request with a search pattern that matched specially-crafted data records, running searches without time limits and consuming CPU time.

The Directory Server has been updated to apply the nsslapd-timelimit attribute to the pattern search query run time. This attribute has a default limit of 3600 seconds (one hour). To shorten the time limit, modify the nsslapd-timelimit parameter in cn=config. For example:

ldapmodify -D "cn=Directory Manager" -w password
dn: cn=config
changetype: modify
replace: nsslapd-timelimit
nsslapd-timelimit: 30

Password policy attributes are not replicated by default. However, if a password attribute such as accountunlocktime was added to an entry, the server would attempt to replicate that attribute, which would cause an error. Rather than correctly processing the error, replication would fail.

This has been fixed.

In replication scenarios, if an attribute value was scheduled to be deleted and also was indexed or had an attribute subtype which was indexed, the Directory Server would crash during the index operation.

This has been fixed.

Several Directory Server CGI applications were affected by a buffer overflow flaw in the routine which parses Accept Language HTTP headers. The web services could be configured to allow acceptable language configurations which caused the web services to quit functioning and crash the server. A remote attacker with access to the Administration Server web interface could exploit the flaw to crash those CGIs or, possibly, to execute arbitrary code with the privileges of the Administration Server, which typically runs as the root user on the host machine.

This has been fixed.

The Directory Server crashed on some looping operations, such as recursively adding groups as members to other groups (Group A becomes a member of Group B, which becomes a member of Group C, and so on). Because the stack size for 64-bit systems was hard-coded to 256KB, relatively small loops could still overflow the stack.

This has been fixed.

The Directory Server Gateway and Administration Server Express interfaces had scripting issues cause by improperly parsing a percent (%)-escaped value provided by a user. A remote attacker could exploit this flaw to execute cross-site attacks against Directory Server users or administrators who used those web services.

These errors have been fixed.

On HP-UX, when running an approximate search, the search code could return an error code 3, which corresponds to the LDAP error code for exceeding the search time limit. This meant that an appropximate search could end prematurely with a timeout error, even though the time limit had not been reached.

This error has been fixed.

There was a memory leak error in the SASL bind code. This error was difficult to trigger in real-world scenarios because it required sending a 0-valued password for a SASL bind, but it could be triggered by an anonymous user.

This error has been fixed.

There was a memory leak error when changing the password storage scheme. This error could only be triggered by an admin user, not an anonymous user.

This error has been fixed.

There was a memory leak error when a user attempted to change a password; if the given DN for the password change was null, the operation defaulted to changing the password for the bind DN, and there was a small memory leak at that transition. This could be triggered by an anonymous user.

This error has been fixed.

When trivial word checking was enabled in the password policy, there was a small memory leak when trivial word checking was run when a user changed his password.

This error has been fixed.

There was a memory leak error in the SASL mapping code with the regular expressions which are used with the identity mapping to look up a user's bind DN based on the user and user realm.

This error has been fixed.

There was a memory leak error in how Directory Server handled value sets where there were several duplicate, non-sequential values added to an attribute, such as adding foo, bar, bat, foo. This leak could only be triggered by an authenticated user to the Directory Server who had the rights to modify attributes in an entry, including self-write access, and if replication was being used.

This error has been fixed.

There was a memory leak error in the index code for searches which were run against the index with a range or with a matching rule.

This error has been fixed.