Note: This is an archival copy of Security Sun Alert 273910 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021699.1.
Article ID : 1021699.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-05-21
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

This Alert covers CVE-2009-2404 and CVE-2009-0688 for the Directory Server component of the Sun ONE Directory Server and Sun Java System Directory Server products.



Category
Security

Release Phase
Resolved

Bug Id
6874719, 6843063

Product
Sun Java System Directory Server Enterprise Edition

Date of Resolved Release
12-Apr-2010

...

1. Impact

This Alert covers CVE-2009-2404 and CVE-2009-0688 for the Directory Server component of the Sun ONE Directory Server and Sun Java System Directory Server products.

Please see http://www.oracle.com/technology/deploy/security/alerts.htm
for more information about Critical Patch Updates and Security Alerts.
This publication relates to the CPU for April 2010.


2. Contributing Factors

These issues can occur in the following releases and platforms:

Sun Java System Directory Server 5.2:

Solaris 8, 9 and 10 on SPARC and x86 Platforms, Linux, Windows, HP-UX, and AIX:

Native Package Versions:
  • Sun ONE Directory Server 5.2
  • Sun Java System Directory Server 5 2003Q4 (5.2patch1)
  • Sun Java System Directory Server 5 2004Q2 (5.2patch2)
  • Sun Java System Directory Server 5 2005Q1 (5.2patch3)
  • Sun Java System Directory Server 5 2005Q4 (5.2patch4)
PatchZIP (Compressed Archive) Versions:
  • Sun ONE Directory Server 5.2
  • Sun Java System Directory Server 5.2 Patch2
  • Sun Java System Directory Server 5.2 Patch3
  • Sun Java System Directory Server 5.2 Patch4
  • Sun Java System Directory Server 5.2 Patch6 without patch 142806-01
Sun Java System Directory Server Enterprise Edition:

Solaris 9 and 10 on SPARC and x86 Platform, HP-UX, Linux, and Windows:

PatchZIP (Compressed Archive) and Native Package Versions:
  • Sun Java System Directory Server Enterprise Edition 6.0
  • Sun Java System Directory Server Enterprise Edition 6.1
  • Sun Java System Directory Server Enterprise Edition 6.2
  • Sun Java System Directory Server Enterprise Edition 6.3
  • Sun Java System Directory Server Enterprise Edition 6.3.1 without patch 142807-01 (for PatchZIP)
To determine if the Directory Server running on a system is affected, the following command can be used:

Sun Java System Directory Server 5.2:

On Solaris, Linux, HP-UX, and AIX systems:
    $ cd <installation directory>/bin/slapd/server
$ ./ns-slapd -V -D <instance-directory>
On 64-bit Solaris:
    $ cd <installation directory>/bin/slapd/server/64
$ ./ns-slapd -V -D <instance-directory>
If the output contains the version string 5.2, the system may be affected by this issue.

On Windows systems:
    cd <installation directory>/bin/slapd/server
slapd.exe -V -D <instance-directory>
If the output contains the version string 6.0, 6.1, 6.2, 6.3 or 6.3.1, the system may be affected by this issue.

Sun Java System Directory Server Enterprise Edition:
    $ dsadm -V
Note: The Native Package Versions of Directory Server are not directly affected by this issue, but they make use of the Java Enterprise System (JES) installation that is installed on the system and are therefore impacted when the resolution for JES has not been installed. Please see Sun Alerts 264248 and 267031 for more details.

3. Symptoms


4. Workaround

5. Resolution

These issues are addressed in the following releases:

Sun Java System Directory Server 5.2:

Solaris 8, 9, and 10 for SPARC and x86 Platforms, Linux, Windows, HP-UX, and AIX:

For the PatchZIP (Compressed Archive) version:
  • Sun Java System Directory Server 5.2 Patch6 with patch 142806-01 or later
Sun Java System Directory Server Enterprise Edition:

Solaris 9, and 10 for SPARC and x86 Platforms, HP-UX, Linux, and Windows:
For the PatchZIP (Compressed Archive) version:
  • Sun Java System Directory Server Enterprise Edition 6.3.1 with patch 142807-01 or later
Note 1: To resolve this issue on Sun Java System Directory Server 5.2 versions before Patch 6, Directory Server should first be upgraded to Patch 6 using the instructions in the following document:
and then the above resolution patch should be installed.

Note 2: To resolve this issue on Sun Java System Directory Server Enterprise Edition versions before 6.3.1, Directory Server should first be upgraded to 6.3.1 using the instructions in the following document:
and then the above resolution patch should be installed.

Note 3: The Native Package versions of Sun Java System Directory Server 5.2 and Sun Java System Directory Server Enterprise Edition 6.x use the separate installation of Java Enterprise System that is installed on the host. Therefore, to resolve this issue in these Native Package versions, the resolution from Sun Alerts 264248 and 267031 should be installed.

References

142806-01
142807-01





Attachments
This solution has no attachment