Bug 11720

Summary: 389-ds-base new security issue CVE-2013-4485
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs, thomas, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/574604/
Whiteboard: has_procedure advisory mga3-32-ok mga3-64-ok
Source RPM: 389-ds-base-1.3.2.2-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2013-11-21 15:54:34 CET 
RedHat has issued an advisory today (November 21):
https://rhn.redhat.com/errata/RHSA-2013-1752.html

Reproducible: 

Steps to Reproduce:
David Walser 2013-11-21 15:54:40 CET

Whiteboard: (none) => MGA3TOO

David Walser 2013-11-21 18:31:05 CET

URL: (none) => http://lwn.net/Vulnerabilities/574604/

Thomas Spuhler 2013-11-21 19:12:25 CET

Status: NEW => ASSIGNED

Comment 1 Thomas Spuhler 2013-11-21 19:20:33 CET 
I am sure, upstream will post a upgraded version in a few days.
There is an open bug (not reported)in upgrading the ldif file starting from version 1.3.2 that needs to be fixed.
mga needs the patch.
David Walser 2013-11-21 23:05:17 CET

Blocks: (none) => 11726

Comment 2 David Walser 2013-11-23 00:44:55 CET 
Versions 1.3.0.9 and 1.3.2.5 have been released fixing this:
http://port389.org/wiki/Releases/1.3.0.9
http://port389.org/wiki/Releases/1.3.2.5
Comment 3 Thomas Spuhler 2013-11-23 01:09:58 CET 
Thanks a lot. 1.3.2.5 in cauldron has a freeze push on it.
Comment 4 David Walser 2013-11-23 13:50:24 CET 
Fixed in Cauldron in 389-ds-base-1.3.2.5-1.mga4.

Packages uploaded for Mageia 3 updates_testing:
389-ds-base-1.3.0.9-1.mga3
389-ds-base-libs-1.3.0.9-1.mga3
389-ds-base-devel-1.3.0.9-1.mga3

from 389-ds-base-1.3.0.9-1.mga3.src.rpm

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Comment 5 Thomas Spuhler 2013-11-23 18:57:19 CET 
(In reply to David Walser from comment #4)
> Fixed in Cauldron in 389-ds-base-1.3.2.5-1.mga4.
> 
> Packages uploaded for Mageia 3 updates_testing:
> 389-ds-base-1.3.0.9-1.mga3
> 389-ds-base-libs-1.3.0.9-1.mga3
> 389-ds-base-devel-1.3.0.9-1.mga3
> 
> from 389-ds-base-1.3.0.9-1.mga3.src.rpm

I tested the update in mga3. I did not test a new install in mga3
I am going to assign this now to qa

Assignee: thomas => qa-bugs

Comment 6 David Walser 2013-11-23 19:06:17 CET 
Thanks Thomas.

Advisory:
========================

Updated 389-ds-base packages fix security vulnerability:

It was discovered that the 389 Directory Server did not properly handle
certain Get Effective Rights (GER) search queries when the attribute list,
which is a part of the query, included several names using the '@'
character. An attacker able to submit search queries to the 389 Directory
Server could cause it to crash (CVE-2013-4485).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4485
http://port389.org/wiki/Releases/1.3.0.9
https://rhn.redhat.com/errata/RHSA-2013-1752.html
========================

Updated packages in core/updates_testing:
========================
389-ds-base-1.3.0.9-1.mga3
389-ds-base-libs-1.3.0.9-1.mga3
389-ds-base-devel-1.3.0.9-1.mga3

from 389-ds-base-1.3.0.9-1.mga3.src.rpm

CC: (none) => thomas

Comment 7 claire robinson 2013-11-25 14:47:31 CET 
Testing complete mga3 32

# hostname laptop.local
# hostname
laptop.local

# setup-ds.pl 

==============================================================================
This program will set up the 389 Directory Server.

It is recommended that you have "root" privilege to set up the software.

..etc


Chose Express setup and when it asked for DN just hit enter and entered an 8 character password.

Directory Manager DN [cn=Directory Manager]: 
Password: 
Password (confirm): 
/sbin/semanage: SELinux policy is not managed or store cannot be accessed.
/sbin/semanage: SELinux policy is not managed or store cannot be accessed.
Your new DS instance 'laptop' was successfully created.
Exiting . . .
Log file is '/tmp/setupcyGVEh.log'


# systemctl start dirsrv@laptop.service
# systemctl status dirsrv@laptop.service
dirsrv@laptop.service - 389 Directory Server laptop.
          Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled)
          Active: active (running) since Mon, 2013-11-25 13:40:28 GMT; 1min 31s ago

...etc

# netstat -pant | grep 389
tcp    0    0 0.0.0.0:389     0.0.0.0:*     LISTEN      23343/ns-slapd

Shows it listening on port 389 and the following command shows lots of info.

# ldapsearch -x -h localhost -s base -b ""  "objectclass=*"

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
#

#
dn:
objectClass: top
namingContexts: dc=local
defaultnamingcontext: dc=local

...etc

Whiteboard: (none) => has_procedure mga3-32-ok

Comment 8 claire robinson 2013-11-25 16:39:26 CET 
Testing complete mga3 64
Comment 9 claire robinson 2013-11-25 17:24:34 CET 
Validating. Advisory uploaded (after some faffing around)

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok => has_procedure advisory mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

David Walser 2013-11-30 18:37:11 CET

Blocks: 11726 => (none)

Comment 10 Thomas Backlund 2013-11-30 22:45:57 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0357.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED