Updated OpenLDAP packages are now available for Red Hat Linux 7, 7.1, and 7.2. These updates resolve a vulnerability which would allow users to remove non-mandatory attributes from any object in a directory.
Versions of OpenLDAP from 2.0.0 through 2.0.19 do not check permissions using access control lists when a user attempts to remove an attribute from an object in the directory by replacing its values with an empty list. Because schema checking is still enforced, a user can only remove attributes which the schema does not require the object to possess. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0045 to this issue. These packages update OpenLDAP to version 2.0.21 which is not vulnerable to this problem.