Bug 11720 - 389-ds-base new security issue CVE-2013-4485
: 389-ds-base new security issue CVE-2013-4485
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/574604/
: has_procedure advisory mga3-32-ok mga...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-21 15:54 CET by David Walser
Modified: 2013-11-30 22:45 CET (History)
3 users (show)

See Also:
Source RPM: 389-ds-base-1.3.2.2-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-11-21 15:54:34 CET
RedHat has issued an advisory today (November 21):
https://rhn.redhat.com/errata/RHSA-2013-1752.html

Reproducible: 

Steps to Reproduce:
Comment 1 Thomas Spuhler 2013-11-21 19:20:33 CET
I am sure, upstream will post a upgraded version in a few days.
There is an open bug (not reported)in upgrading the ldif file starting from version 1.3.2 that needs to be fixed.
mga needs the patch.
Comment 2 David Walser 2013-11-23 00:44:55 CET
Versions 1.3.0.9 and 1.3.2.5 have been released fixing this:
http://port389.org/wiki/Releases/1.3.0.9
http://port389.org/wiki/Releases/1.3.2.5
Comment 3 Thomas Spuhler 2013-11-23 01:09:58 CET
Thanks a lot. 1.3.2.5 in cauldron has a freeze push on it.
Comment 4 David Walser 2013-11-23 13:50:24 CET
Fixed in Cauldron in 389-ds-base-1.3.2.5-1.mga4.

Packages uploaded for Mageia 3 updates_testing:
389-ds-base-1.3.0.9-1.mga3
389-ds-base-libs-1.3.0.9-1.mga3
389-ds-base-devel-1.3.0.9-1.mga3

from 389-ds-base-1.3.0.9-1.mga3.src.rpm
Comment 5 Thomas Spuhler 2013-11-23 18:57:19 CET
(In reply to David Walser from comment #4)
> Fixed in Cauldron in 389-ds-base-1.3.2.5-1.mga4.
> 
> Packages uploaded for Mageia 3 updates_testing:
> 389-ds-base-1.3.0.9-1.mga3
> 389-ds-base-libs-1.3.0.9-1.mga3
> 389-ds-base-devel-1.3.0.9-1.mga3
> 
> from 389-ds-base-1.3.0.9-1.mga3.src.rpm

I tested the update in mga3. I did not test a new install in mga3
I am going to assign this now to qa
Comment 6 David Walser 2013-11-23 19:06:17 CET
Thanks Thomas.

Advisory:
========================

Updated 389-ds-base packages fix security vulnerability:

It was discovered that the 389 Directory Server did not properly handle
certain Get Effective Rights (GER) search queries when the attribute list,
which is a part of the query, included several names using the '@'
character. An attacker able to submit search queries to the 389 Directory
Server could cause it to crash (CVE-2013-4485).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4485
http://port389.org/wiki/Releases/1.3.0.9
https://rhn.redhat.com/errata/RHSA-2013-1752.html
========================

Updated packages in core/updates_testing:
========================
389-ds-base-1.3.0.9-1.mga3
389-ds-base-libs-1.3.0.9-1.mga3
389-ds-base-devel-1.3.0.9-1.mga3

from 389-ds-base-1.3.0.9-1.mga3.src.rpm
Comment 7 claire robinson 2013-11-25 14:47:31 CET
Testing complete mga3 32

# hostname laptop.local
# hostname
laptop.local

# setup-ds.pl 

==============================================================================
This program will set up the 389 Directory Server.

It is recommended that you have "root" privilege to set up the software.

..etc


Chose Express setup and when it asked for DN just hit enter and entered an 8 character password.

Directory Manager DN [cn=Directory Manager]: 
Password: 
Password (confirm): 
/sbin/semanage: SELinux policy is not managed or store cannot be accessed.
/sbin/semanage: SELinux policy is not managed or store cannot be accessed.
Your new DS instance 'laptop' was successfully created.
Exiting . . .
Log file is '/tmp/setupcyGVEh.log'


# systemctl start dirsrv@laptop.service
# systemctl status dirsrv@laptop.service
dirsrv@laptop.service - 389 Directory Server laptop.
          Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled)
          Active: active (running) since Mon, 2013-11-25 13:40:28 GMT; 1min 31s ago

...etc

# netstat -pant | grep 389
tcp    0    0 0.0.0.0:389     0.0.0.0:*     LISTEN      23343/ns-slapd

Shows it listening on port 389 and the following command shows lots of info.

# ldapsearch -x -h localhost -s base -b ""  "objectclass=*"

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
#

#
dn:
objectClass: top
namingContexts: dc=local
defaultnamingcontext: dc=local

...etc
Comment 8 claire robinson 2013-11-25 16:39:26 CET
Testing complete mga3 64
Comment 9 claire robinson 2013-11-25 17:24:34 CET
Validating. Advisory uploaded (after some faffing around)

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!
Comment 10 Thomas Backlund 2013-11-30 22:45:57 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0357.html

Note You need to log in before you can comment on or make changes to this bug.