Bug 10889 - 389-ds-base new security issues CVE-2013-2219 and CVE-2013-4283
Summary: 389-ds-base new security issues CVE-2013-2219 and CVE-2013-4283
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: Thomas Spuhler
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/561621/
Depends on: 10138
  Show dependency treegraph
Reported: 2013-07-31 19:33 CEST by David Walser
Modified: 2013-08-30 19:27 CEST (History)
2 users (show)

See Also:
Source RPM: 389-ds-base-
Status comment:


Description David Walser 2013-07-31 19:33:07 CEST
RedHat has issued an advisory on July 30:

It's not clear which versions are affected, but we have it packaged in Mageia 3 and Cauldron.


Steps to Reproduce:
David Walser 2013-07-31 19:33:26 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Thomas Spuhler 2013-07-31 20:31:37 CEST
According to the announcement, version 1.2 are affected
We have versions 1.3 on mga3 and cauldron has been updated last night
Comment 2 David Walser 2013-07-31 20:34:18 CEST
Version 1.2 is what they issued an update for, because that's what they have in RHEL6.  It doesn't mean 1.3 isn't affected (it probably is).  Your best bet is to check the patch they added to the package against the code in 1.3.
Comment 3 David Walser 2013-08-02 16:47:47 CEST
The patch in RedHat's SRPM on RHEL6 that fixes this is:

It is already fixed in the version we have in Cauldron, but not in Mageia 3.

The patch applies cleanly and I have checked it into Mageia 3 SVN.

Please submit it to the build system if it looks good to you.

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Comment 4 Thomas Spuhler 2013-08-02 19:28:36 CEST
The patch has been applied in mga3 and is in updates_testing.
I have done some testing by installing the package on a local box and did setup a maildomain, add users to it and sent e-mails back and forth. Also the roundcubemail shows the addresses in the addressbook and as far as I can see everything in Roundcubemail as well as in Thunderbird works.
Teh updated packages are:


The package in cauldron will be fixed by updating it to version >=
( currently doesn't build)

CC: (none) => thomas
Assignee: thomas => qa-bugs

Comment 5 David Walser 2013-08-02 21:28:33 CEST
Thanks Thomas.  BTW, if you can give more details on the testing setup, it'd help.


Updated 389-ds-base packages fix security vulnerability:

It was discovered that the 389 Directory Server did not honor defined
attribute access controls when evaluating search filter expressions. A
remote attacker (with permission to query the Directory Server) could use
this flaw to determine the values of restricted attributes via a series of
search queries with filter conditions that used restricted attributes


Updated packages in core/updates_testing:

from 389-ds-base-
Comment 6 claire robinson 2013-08-03 11:04:13 CEST
We now have 2 bugs assigned to QA for 389-ds-base. Only one bug should be assigned to QA for each update. As the last one wasn't pushed yet this build, whatever it includes is now the current one.

Does this include the bugfix from bug 10138 ? 
Were the issues in that bug addressed before building this on top of it?
Which bug do you want to close?

Whichever bug is left should include a full advisory of the changes.

Whiteboard: (none) => feedback

Comment 7 David Walser 2013-08-03 16:52:12 CEST
Whoops, sorry, didn't see the other bug.  I'll make this one depend on the other one.

CC: (none) => qa-bugs
Depends on: (none) => 10138
Assignee: qa-bugs => thomas
Whiteboard: feedback => (none)

Comment 8 Thomas Spuhler 2013-08-28 23:58:36 CEST
Oooops, seems this has never been assigned to QA.

Assignee: thomas => qa-bugs

Comment 9 David Walser 2013-08-29 00:28:27 CEST
Actually it was, but this bug is for the same update as the one in Bug 10138, so we are using that bug to QA this update.  Both bugs will be closed once the update is released.

Assignee: qa-bugs => thomas

Comment 10 Thomas Spuhler 2013-08-29 00:32:52 CEST
I understand. No problem. But it looked like it was stuck.
Comment 11 David Walser 2013-08-29 21:10:21 CEST
RedHat has issued an advisory on August 28:

This fixed a new security issue, CVE-2013-4283.

from http://lwn.net/Vulnerabilities/565273/

Summary: 389-ds-base new security issue CVE-2013-2219 => 389-ds-base new security issues CVE-2013-2219 and CVE-2013-4283

David Walser 2013-08-29 21:10:47 CEST

Severity: major => critical

Comment 12 Thomas Spuhler 2013-08-30 03:57:24 CEST
This security issue has been fixed by upgrading the package to version
Also the creation of the systemd dir has been made conditional to avoid the error message when this directory already exists when upgrading from a previous version.

Updated packages in core/updates_testing:


I tested the upgrade and an inital installation

Re-assigning the bug to qa-bugs@ml.mageia.org

Hopefully, we can get this out before the next CVE will be announced

Assignee: thomas => qa-bugs

Comment 13 David Walser 2013-08-30 03:59:01 CEST
Bug 10138 is the one QA is using for this update.

Assignee: qa-bugs => thomas

Comment 14 David Walser 2013-08-30 19:27:51 CEST
Fixed in Bug 10138:

Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.