Bug 19716

Summary: 389-ds-base new security issue CVE-2016-5405 and CVE-2016-5416
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: marja11, mhrambo3501
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/705560/
Whiteboard:
Source RPM: 389-ds-base-1.3.4.14-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-11-04 15:50:14 CET 
RedHat has issued an advisory on November 3:
https://rhn.redhat.com/errata/RHSA-2016-2594.html

They updated to 1.3.5.10, and we recently updated Cauldron to 1.3.5.13, so I don't believe we're affected there.  We also recently updated the version in Mageia 5, but I'm not sure if it contains the fixes, though it probably does.
Comment 1 Marja Van Waes 2016-11-04 23:44:08 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2016-11-07 16:08:32 CET 
There are three CVEs associated with this and both RHEL6 and RHEL7 are identified as being vulnerable upstream.

For reference:
RHEL6 is at version 389-ds-base-1.2.11.15.
RHEL7 is at version 389-ds-base-1.3.3.1.

https://access.redhat.com/security/cve/CVE-2016-4992 Information disclosure via repeated use of LDAP ADD operation (low impact)
https://access.redhat.com/security/cve/CVE-2016-5416 ACI readable by anonymous user (moderate impact)
RHEL6 - Status is "Fix deferred" for both of these.

https://access.redhat.com/security/cve/CVE-2016-5405 Password verification vulnerable to timing attack (low impact)
RHEL6 - Status is "Will not fix".

In all cases the RHEL7 fix is to update to 389-ds-base-1.3.5.10.

As noted, cauldron is at 389-ds-base-1.3.5.13.
MGA5 is at 389-ds-base-1.3.4.14.

I have not been able to find sufficient information to determine whether MGA5 on version 1.3.4.14 is vulnerable to any of these.

CC: (none) => mrambo

Comment 3 David Walser 2016-11-07 18:37:19 CET 
Fedora has referenced CVE-2016-5416 in the update to 1.3.5.15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NZB7ZCJX2H7QKCPTZORYUJSHIC5X6WXW/
Comment 4 Mike Rambo 2016-11-15 16:22:48 CET 
An update to 1.3.5.15 is pending... (so no one wastes time)
Comment 5 Mike Rambo 2016-11-22 21:47:53 CET 
An update to 1.3.5.15 has been committed and pushed for cauldron to resolve the referenced security issues.

Status: NEW => RESOLVED
Resolution: (none) => FIXED