Bug 23800

Summary: 389-ds-base new security issue CVE-2018-14648
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, lewyssmith, marja11, mhrambo3501, smelror, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: 389-ds-base-1.3.5.19-8.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-11-02 21:48:46 CET 
RedHat has issued an advisory on October 30:
https://access.redhat.com/errata/RHSA-2018:3127

The issue is fixed upstream in 1.4.0.17.

Mageia 6 is also affected.
David Walser 2018-11-02 21:48:54 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-11-03 08:57:18 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing some committers.

CC: (none) => geiger.david68210, marja11, mrambo, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2018-11-15 14:20:21 CET 
Upgraded cauldron to 1.4.0.18. Tried to do 1.3.9.0 for Mageia 6 but couldn't get it to build. Applied an upstream patch to the existing mga6 code base that just fixes the CVE instead.

Advisory:
========================

Patched 389-ds-base package fixes security vulnerability:

It was discovered that mishandled search requests in servers/slapd/search.c:do_search() in 389-ds-base allows for denial of service (CVE-2018-14648).


References:
https://access.redhat.com/errata/RHSA-2018:3127
https://bugzilla.redhat.com/show_bug.cgi?id=1630668
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14648
========================

Updated packages in core/updates_testing:
========================
389-ds-base-1.3.5.17-1.7.mga6
389-ds-base-snmp-1.3.5.17-1.7.mga6
lib64389-ds-base0-1.3.5.17-1.7.mga6
lib64389-ds-base-devel-1.3.5.17-1.7.mga6

from 389-ds-base-1.3.5.17-1.7.mga6.src.rpm


Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=11720#c7
https://bugs.mageia.org/show_bug.cgi?id=16928#c7

Keywords: (none) => has_procedure
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 3 Lewis Smith 2018-11-18 20:31:57 CET 
Testing M6 x64 real hardware
Test procedure ex Claire: https://bugs.mageia.org/show_bug.cgi?id=11720#c7

BEFORE update
I already had installed:
 389-ds-base-1.3.5.17-1.6.mga6
 389-ds-base-snmp-1.3.5.17-1.6.mga6
 lib64389-ds-base0-1.3.5.17-1.6.mga6

 # systemctl start dirsrv@localhost
failed (I did not first check whether it was already running...).
 # setup-ds.pl
also eventually failed "Error: the server already exists at '/etc/dirsrv/slapd-localhost' Please remove it first if you really want to recreate it,"
which I did:
 # rm -rf /etc/dirsrv/slapd-localhost
after which
 # setup-ds.pl
worked OK with Express setup: "Your new DS instance 'localhost' was successfully created."
Perhaps all this was unnecessary if it was running in the first place.
----------------------------------------------------------------------
 # systemctl start dirsrv@localhost

 # systemctl status dirsrv@localhost
● dirsrv@localhost.service - 389 Directory Server localhost.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor pres
   Active: active (running) since Sul 2018-11-18 19:54:08 CET; 1min 18s ago
  Process: 22491 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/
 Main PID: 22497 (ns-slapd)
   Status: "slapd started: Ready to process requests"
   CGroup: /system.slice/system-dirsrv.slice/dirsrv@localhost.service
           └─22497 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-localhost -i /var/run

Tach 18 19:54:06 localhost.localdomain systemd[1]: Starting 389 Directory Server 
...
Tach 18 19:54:08 localhost.localdomain systemd[1]: Started 389 Directory Server

 # netstat -pant | grep 389
tcp6       0      0 :::389                  :::*                    LISTEN      22497/ns-slapd
# ldapsearch -x -h localhost -s base -b ""  "objectclass=*"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
#
dn:
objectClass: top
defaultnamingcontext: dc=localdomain
dataversion: 020181118185407
netscapemdsuffix: cn=ldap://dc=localhost,dc=localdomain:389
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
-----------------------------------
AFTER update to:
389-ds-base-1.3.5.17-1.7.mga6
389-ds-base-snmp-1.3.5.17-1.7.mga6
lib64389-ds-base0-1.3.5.17-1.7.mga6

 # systemctl restart dirsrv@localhost

 # systemctl status dirsrv@localhost
O/P essentially the same.

 # netstat -pant | grep 389
O/P identical.

 # ldapsearch -x -h localhost -s base -b ""  "objectclass=*"
O/P essentially identical.

Deemed OK for 64-bit.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => lewyssmith

Comment 4 Lewis Smith 2018-11-18 20:38:01 CET 
Advisory done from comment 2. Validated.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2018-11-20 12:12:25 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0461.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED