| Summary: | 389-ds-base new security issue CVE-2015-3230 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, lewyssmith, sysadmin-bugs, thomas, tmb |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/660129/ | ||
| Whiteboard: | has_procedure advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | 389-ds-base-1.3.3.10-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-10-09 17:34:08 CEST
this bug has been fixed by upgrade to vers. 1.3.3.13 * this fixes security issue Bug 16928 CVE-2015-3230 * this is a maintenance update and fixes a lot of other issues - See upstream announcement The following packages are in mga5, updates-testing: 389-ds-base-1.3.3.13-1.mga5.src.rpm 389-ds-base-1.3.3.13-1.mga5.x86_64.rpm lib64389-ds-base0-1.3.3.13-1.mga5.x86_64.rpm ib64389-ds-base-devel-1.3.3.13-1.mga5.x86_64.rpm 389-ds-base-debuginfo-1.3.3.13-1.mga5.x86_64.rpm and corresponding i586 packages. Status:
NEW =>
ASSIGNED Thanks Thomas! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11720#c7 Advisory: ======================== Updated 389-ds-base packages fix security vulnerability: It was reported that nsSSL3Ciphers preference is not enforced server side, which allows for a potential downgrade attack to take place (CVE-2015-3230). The 389-ds-base package has been updated to version 1.3.3.13, fixing this issue and several other bugs. See the upstream release announcements for details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3230 http://www.port389.org/docs/389ds/releases/release-1-3-3-12.html http://www.port389.org/docs/389ds/releases/release-1-3-3-13.html https://lists.fedoraproject.org/pipermail/package-announce/2015-October/168985.html
David Walser
2015-10-09 20:38:40 CEST
Whiteboard:
(none) =>
has_procedure
Dave Hodgins
2015-10-09 20:42:24 CEST
CC:
(none) =>
davidwhodgins Trying x64. Small installation problem of inconsistency between hostname & local IP addresses: "WARNING: There are problems with the hostname. Hostname 'localhost.localdomain' is valid, but none of the IP addresses resolve back to localhost.localdomain - address 0:0:0:0:0:0:0:1 resolves to host localhost - address 127.0.0.1 resolves to host localhost Please check the spelling of the hostname and/or your network configuration. If you proceed with this hostname, you may encounter problems. Do you want to proceed with hostname 'localhost.localdomain'? [no]:" What/where should I change please? CC:
(none) =>
lewyssmith /etc/hosts 127.0.0.1 localhost.localdomain localhost CC:
(none) =>
tmb As far as I remember, when setting up the server, it tells you that you need a FQDN? MGA5-32 on AcerD620 Xfce I do not find 389-ds-base-debuginfo-1.3.3.13-1 for i586. Proceeding anyway. Procedure followed as per Comment 2, confirm results therein. One side-remark: when using the Express setup, this one reported the name of the PC as mach6.xxxx.yyyy.xxxx.yyyy This in contrary to the hostname which returns mach6.xxxx.yyyy So I choose setup type 2 Typical and accept all other defaults, and the configuration works OK with that. CC:
(none) =>
herman.viaene
Herman Viaene
2015-10-14 14:47:59 CEST
Whiteboard:
has_procedure advisory MGA-32-OK =>
has_procedure advisory MGA5-32-OK Testing MGA5 x64 real hardware. Thanks Thomas for you Comment 4. Done. I followed https://bugs.mageia.org/show_bug.cgi?id=11720#c7 (as usual, thanks Claire for beating the path), # setup-ds.pl but doing a 'typical' installation since I had already abandoned a previous one. Hit the same curiosity as Herman Comment 6: "Computer name [localhost.localdomain.localdomain]: localhost.localdomain" so thanks to you for warning of this. Accepted all subsequent defaults (plus a real password). Password: Password (confirm): Your new DS instance 'localhost' was successfully created. Exiting . . . Log file is '/tmp/setupaOsgiX.log' BEFORE update: 389-ds-base-1.3.3.10-1.mga5 lib64389-ds-base0-1.3.3.10-1.mga5 # systemctl start dirsrv@localhost # systemctl status dirsrv@localhost รข dirsrv@localhost.service - 389 Directory Server localhost. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled) Active: active (running) since Iau 2015-10-15 12:26:18 CEST; 3min 26s ago ... # netstat -pant | grep 389 tcp6 0 0 :::389 :::* LISTEN 8136/ns-slapd # ldapsearch -x -h localhost -s base -b "" "objectclass=*" # extended LDIF # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL dn: ... All as per the test procedure. AFTER update: 389-ds-base-1.3.3.13-1.mga5 lib64389-ds-base0-1.3.3.13-1.mga5 # systemctl restart dirsrv@localhos # systemctl status dirsrv@localhost O/P similar to previously. # netstat -pant | grep 389 O/P identical tp previously. # ldapsearch -x -h localhost -s base -b "" "objectclass=*" O/P identical Update deemed OK. Whiteboard:
has_procedure advisory MGA5-32-OK =>
has_procedure advisory MGA5-32-OK MGA5-64-OK Validating. Please push to 5 updates. Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0402.html Status:
ASSIGNED =>
RESOLVED |