| Summary: | 389-ds-base new security issue CVE-2021-3652 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | 389-ds-base-1.4.0.26-8.mga8.src.rpm | CVE: | CVE-2021-3652 |
| Status comment: | |||
|
Description
David Walser
2021-08-20 17:54:43 CEST
David Walser
2021-08-20 17:55:10 CEST
Whiteboard:
(none) =>
MGA8TOO openSUSE has issued an advisory for this today (August 20): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/E6YUB5M37IM7IMXZ65R3QTW6TPO6B3OS/ This SRPM has no evident maintainer, so have to assign this globally. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated packages fix a security vulnerability: Fixed crypt handling of locked accounts. (CVE-2021-3652) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3652 https://lists.suse.com/pipermail/sle-security-updates/2021-August/009326.html https://bugzilla.redhat.com/show_bug.cgi?id=1982782 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/E6YUB5M37IM7IMXZ65R3QTW6TPO6B3OS/ ======================== Updated packages in core/updates_testing: ======================== 389-ds-base-snmp-1.4.0.26-8.1.mga8 lib(64)svrcore0-1.4.0.26-8.1.mga8 lib(64)389-ds-base-devel-1.4.0.26-8.1.mga8 lib(64)svrcore-devel-1.4.0.26-8.1.mga8 lib(64)389-ds-base0-1.4.0.26-8.1.mga8 389-ds-base-1.4.0.26-8.1.mga8 cockpit-389-ds-1.4.0.26-8.1.mga8 from SRPM: 389-ds-base-1.4.0.26-8.1.mga8.src.rpm Whiteboard:
MGA8TOO =>
(none) Tried this but fell at the first fence. The setup script did not like my hostname, which is not lqdn. localhost.localdomain is defined in the hosts file but setup does not allow you to choose a hostname and I am unwilling to change it. Handing this over to somebody who does have an LQDN hostname. CC:
(none) =>
tarazed25 s/LQDN/FQDN/ Updated all the packages. Decided to go with localhost.localdomain as a temporary measure. $ hostname localhost.localdomain Borrowed from bug 25824. # setup-ds.pl Used the [2] option for common options and set up dirsrv. Also created a local user/administrator(?) with a name and password but have no idea what to do with her. # systemctl start dirsrv@localhost # systemctl status dirsrv@localhost ● dirsrv@localhost.service - 389 Directory Server localhost. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor p> Active: active (running) since Mon 2021-09-20 16:33:46 BST; 2min 47s ago # netstat -pant | grep 389 tcp6 0 0 :::389 :::* LISTEN 2894540/ns-slapd # ldapsearch -x -h localhost -s base -b "" "objectclass=*" # extended LDIF # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL # dn: objectClass: top defaultnamingcontext: dc=localdomain dataversion: 020210920153346 netscapemdsuffix: cn=ldap://dc=localhost,dc=localdomain:389 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 $ id dirsrv uid=954(dirsrv) gid=951(dirsrv) groups=951(dirsrv) These results echo those of previous tests so this can be passed. Whiteboard:
(none) =>
MGA8-64-OK Thank you, Len. Validating. Advisory in Comment 3. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2021-09-22 22:27:15 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0440.html Resolution:
(none) =>
FIXED |