CVE-2020-25709: 
NixOS vulnerability analysis and mitigation

CVE-2020-25709 is a vulnerability discovered in OpenLDAP that allows an attacker who can send a malicious packet to be processed by OpenLDAP's slapd server to trigger an assertion failure in the Certificate List syntax validation. The vulnerability was discovered in versions prior to OpenLDAP 2.4.56 (NVD, Red Hat).

The vulnerability exists in the certificateListValidate function in servers/slapd/schema_init.c of OpenLDAP. It has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD).

The primary impact of this vulnerability is to system availability. A successful exploitation can cause a denial of service through the crashing of the slapd daemon when processing specially crafted packets (Debian, NetApp).

The vulnerability has been fixed in OpenLDAP version 2.4.56. Various vendors have released patches for their affected products: Debian has released version 2.4.47+dfsg-3+deb10u4 for Debian 10 (buster), Apple has included fixes in macOS Big Sur 11.2, Security Update 2021-001 Catalina, and Security Update 2021-001 Mojave (Debian, Apple).