Bug 1186725 - (CVE-2020-20178) VUL-0: CVE-2020-20178: Ethereum 0xe933c0cd9784414d5f278c114904f5a84b396919#code.sol issue
VUL-0: CVE-2020-20178: Ethereum 0xe933c0cd9784414d5f278c114904f5a84b396919#co...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-06-02 08:26 UTC by Marcus Meissner
Modified: 2021-06-21 23:32 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-06-02 08:26:38 UTC

A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability.


In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.


Comment 1 William Brown 2021-06-16 00:22:39 UTC
This is already patched and released in all affected code streams.
Comment 4 Marcus Meissner 2021-06-17 07:32:10 UTC
weird, the upstgream cve desc fliopped to a ethereum description

Ethereum 0xe933c0cd9784414d5f278c114904f5a84b396919#code.sol latest version is affected by a denial of service vulnerability in the affected payout function. Once the length of this array is too long, it will result in an exception. Attackers can make attacks by creating a series of account addresses.
Comment 5 Marcus Meissner 2021-06-17 07:34:52 UTC
I filed a review request with Mitre.

This change of description is usually not acceptable for CNAs.
Comment 6 William Brown 2021-06-18 00:09:41 UTC
Okay, I'll leave it with you to follow up - if you still need this added to the changelog then I'll do it once we clear up the cve assignment situation :)
Comment 7 Tausif Siddiqui 2021-06-21 09:06:48 UTC
Marcus, William,

Looks like MITRE may have corrected an earlier mistake of mapping CVE-2020-20178 to an OpenLDAP vulnerability, which is now having Ethereum description.

The OpenLDAP vulnerability is actually another CVE -> CVE-2021-27212. See 1 and 2 below.

1. https://access.redhat.com/security/cve/CVE-2021-27212
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27212

This is my evaluation. haven't confirmed it with MITRE as you're already in process. Hope it is true to be the case.
Comment 8 Marcus Meissner 2021-06-21 09:25:49 UTC
did not hear back from mitre so far.

But if we covered this issue in the corect CVE , i will close this bug for now and see i can unmark it

adjusrted subject of this bug. added note to CVE page, untagged openldap2.
Comment 9 William Brown 2021-06-21 23:32:38 UTC
No problemo, thanks for following up.