RedHat has issued an advisory on July 30: https://rhn.redhat.com/errata/RHSA-2013-1119.html It's not clear which versions are affected, but we have it packaged in Mageia 3 and Cauldron. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
According to the announcement, version 1.2 are affected https://rhn.redhat.com/errata/RHSA-2013-1119.html We have versions 1.3 on mga3 and cauldron has been updated last night
Version 1.2 is what they issued an update for, because that's what they have in RHEL6. It doesn't mean 1.3 isn't affected (it probably is). Your best bet is to check the patch they added to the package against the code in 1.3.
The patch in RedHat's SRPM on RHEL6 that fixes this is: 0047-CVE-2013-2219-ACLs-inoperative-in-some-search-scenar.patch It is already fixed in the version we have in Cauldron, but not in Mageia 3. The patch applies cleanly and I have checked it into Mageia 3 SVN. Please submit it to the build system if it looks good to you.
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
The patch has been applied in mga3 and is in updates_testing. I have done some testing by installing the package on a local box and did setup a maildomain, add users to it and sent e-mails back and forth. Also the roundcubemail shows the addresses in the addressbook and as far as I can see everything in Roundcubemail as well as in Thunderbird works. Teh updated packages are: 389-ds-base-1.3.0.5-2.2.mga3.src.rpm 389-ds-base-1.3.0.5-2.2.mga3.xxx.rpm 389-ds-base-debuginfo-1.3.0.5-2.2.mga3.xxx.rpm 389-ds-base-devel-1.3.0.5-2.2.mga3.xxxx.rpm 389-ds-base-libs-1.3.0.5-2.2.mga3.xxx.rpm The package in cauldron will be fixed by updating it to version >= 1.3.1.5 (1.3.1.5 currently doesn't build)
Status: NEW => ASSIGNEDCC: (none) => thomasAssignee: thomas => qa-bugs
Thanks Thomas. BTW, if you can give more details on the testing setup, it'd help. Advisory: ======================== Updated 389-ds-base packages fix security vulnerability: It was discovered that the 389 Directory Server did not honor defined attribute access controls when evaluating search filter expressions. A remote attacker (with permission to query the Directory Server) could use this flaw to determine the values of restricted attributes via a series of search queries with filter conditions that used restricted attributes (CVE-2013-2219). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2219 https://rhn.redhat.com/errata/RHSA-2013-1119.html ======================== Updated packages in core/updates_testing: ======================== 389-ds-base-1.3.0.5-2.2.mga3 389-ds-base-libs-1.3.0.5-2.2.mga3 389-ds-base-devel-1.3.0.5-2.2.mga3 from 389-ds-base-1.3.0.5-2.2.mga3.src.rpm
We now have 2 bugs assigned to QA for 389-ds-base. Only one bug should be assigned to QA for each update. As the last one wasn't pushed yet this build, whatever it includes is now the current one. Does this include the bugfix from bug 10138 ? Were the issues in that bug addressed before building this on top of it? Which bug do you want to close? Whichever bug is left should include a full advisory of the changes.
Whiteboard: (none) => feedback
Whoops, sorry, didn't see the other bug. I'll make this one depend on the other one.
CC: (none) => qa-bugsDepends on: (none) => 10138Assignee: qa-bugs => thomasWhiteboard: feedback => (none)
Oooops, seems this has never been assigned to QA.
Assignee: thomas => qa-bugs
Actually it was, but this bug is for the same update as the one in Bug 10138, so we are using that bug to QA this update. Both bugs will be closed once the update is released.
Assignee: qa-bugs => thomas
I understand. No problem. But it looked like it was stuck.
RedHat has issued an advisory on August 28: https://rhn.redhat.com/errata/RHSA-2013-1182.html This fixed a new security issue, CVE-2013-4283. from http://lwn.net/Vulnerabilities/565273/
Summary: 389-ds-base new security issue CVE-2013-2219 => 389-ds-base new security issues CVE-2013-2219 and CVE-2013-4283
Severity: major => critical
This security issue has been fixed by upgrading the package to version 1.3.0.8. Also the creation of the systemd dir has been made conditional to avoid the error message when this directory already exists when upgrading from a previous version. Updated packages in core/updates_testing: ======================== 389-ds-base-1.3.0.8-1.mga3.src.rpm 389-ds-base-1.3.0.8-1.mga3.x86_64.rpm 389-ds-base-libs-1.3.0.8-1.mga3.x86_64.rpm 389-ds-base-devel-1.3.0.8-1.mga3.x86_64.rpm 389-ds-base-debuginfo-1.3.0.8-1.mga3.x86_64.rpm I tested the upgrade and an inital installation Re-assigning the bug to qa-bugs@ml.mageia.org Hopefully, we can get this out before the next CVE will be announced :)
Bug 10138 is the one QA is using for this update.
Fixed in Bug 10138: http://advisories.mageia.org/MGASA-2013-0263.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED