RedHat has issued an advisory today (August 7): https://rhn.redhat.com/errata/RHSA-2014-1031.html Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Fixed in 389-ds-base-1.3.2.21-1.mga5 for Cauldron by Thomas Spuhler.
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
The bugs has been fixed by upgrading to vers. 1.3.2.21. The following srpms (and rpms) are now in mga3 and mga4 core/updates_testing. I will do some preliminary testing before assigning to QA (I'll be out of town for a few days) 389-ds-base-1.3.2.21-1.mga3.src.rpm 389-ds-base-1.3.2.21-1.mga4.src.rpm
Updated packages in core/updates_testing: ======================== 389-ds-base-1.3.2.21-1.mga3 389-ds-base-libs-1.3.2.21-1.mga3 389-ds-base-devel-1.3.2.21-1.mga3 389-ds-base-1.3.2.21-1.mga4 389-ds-base-libs-1.3.2.21-1.mga4 389-ds-base-devel-1.3.2.21-1.mga4
URL: (none) => http://lwn.net/Vulnerabilities/608202/
I thought we decided to start listing the srpms only? Well, I did some testing on mga3 (I am going to install it on my mga4 server, I am very confident not to see any problems in mga4) I upgraded the installed package and the upgrade went fine, no warnings or error messages I used roundcubemail (with kolab plugin) to send and receive some messages. I used kolab-webadmin to add some information such as phone number of the user, no problems I setup Kontakt/kmail including the ldap part and when I was preparing a new e-mail, starting typing the receiver in the To: filed, the two available user came up. so this worked to as expected. Assigning it to QA now
Status: NEW => ASSIGNEDCC: (none) => thomasAssignee: thomas => qa-bugs
Thanks Thomas! We still have to list the RPMs so QA knows what to test. Usually madb ( http://mageia.madb.org/tools/updates ) can figure it out (see the RPMs links) if it knows what the SRPMS are and the packages have hit the mirrors, but it's still good to list them just to be safe. Advisory: ======================== Updated 389-ds-base packages fix security vulnerability: It was found that when replication was enabled for each attribute in 389 Directory Server, which is the default configuration, the server returned replicated metadata when the directory was searched while debugging was enabled. A remote attacker could use this flaw to disclose potentially sensitive information (CVE-2014-3562). The 389-ds-base package has been updated to version 1.3.2.21, fixing this issue and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3562 https://rhn.redhat.com/errata/RHSA-2014-1031.html
Hold off, there seems to be a problem. Assigning back to me.
Assignee: qa-bugs => thomas
Fedora released version 1.3.2.22 = version 1.3.2.19 plus security fix. Updated packages in core/updates_testing: ======================== 389-ds-base-1.3.2.22-1.mga3 389-ds-base-libs-1.3.2.22-1.mga3 389-ds-base-devel-1.3.2.22-1.mga3 389-ds-base-1.3.2.22-1.mga4 389-ds-base-libs-1.3.2.22-1.mga4 389-ds-base-devel-1.3.2.22-1.mga4 assigning back to QA
Assignee: thomas => qa-bugs
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11720#c7
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Testing on mga-4-64: Using the procedure described in https://bugs.mageia.org/show_bug.cgi?id=11720#c7 The setup stopped/or hung after the message: ValueError: SELinux policy is not managed or store cannot be accessed. There was no message that setup was completed. I hit Ctrl-C and ran setup-ds.pl again, but it reported that "the server already exists". So I proceeded to run the remainder of the tests - all of which completed as predicted. I hesitate to say that this was a success. I'll test on mga-4-32 to see if I get similar results.
(In reply to James Kerr from comment #9) > Testing on mga-4-64: > > Using the procedure described in > https://bugs.mageia.org/show_bug.cgi?id=11720#c7 > > The setup stopped/or hung after the message: > ValueError: SELinux policy is not managed or store cannot be accessed. > There was no message that setup was completed. > > I hit Ctrl-C and ran setup-ds.pl again, but it reported that "the server > already exists". > > So I proceeded to run the remainder of the tests - all of which completed as > predicted. > > I hesitate to say that this was a success. I'll test on mga-4-32 to see if I > get similar results. Did you wait long enough. You may just stopped the installation using Ctrl-C (or it may completed) There is quite some time wehn nothing happens.
(In reply to Thomas Spuhler from comment #10) Perhaps not. I did wait for a minute or two, but my testing machine is quite slow. I'll try to remove the server and re-run setup. Probably not before tomorrow though.
Testing on mga-4-32, using the same testing procedure. This time I waited long enough for the success message to appear. The test results were as predicted. Based on this and the fact that the server was correctly set up on mga-4-64, even though I did not wait long enough for the success message to appear, I would say that these updates are acceptable. I have been unable to find a POC to test that the vulnerability is indeed fixed. Testing complete on Mageia 4 i586 and on Mageia 4 x86_64
Adding result to whiteboard
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK
Testing on mga-3-64 using the same procedure: All tets completed successfully.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-64-OK
Testing on mga-3-32 using the same procedure. All tests completed successfully. (With reference to comment 11, I did recreate the server and all tests completed successfully.) I believe this update can be validated. Would someone with SVN access create the advisory (comment 5) SRPMs 389-ds-base-1.3.2.22-1.mga3.src.rpm 389-ds-base-1.3.2.22-1.mga4.src.rpm
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-64-OK MGA
whiteboard updated
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-64-OK MGA => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-64-OK MGA3-32-OK
The text in the advisory in comment 5 needs to be amended to refer to version 1.3.2.22
Validating, advisory uploaded. Please push 389-ds-base to 3 & 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-64-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-64-OK MGA3-32-OK advisoryCC: (none) => sysadmin-bugs
(In reply to James Kerr from comment #17) > The text in the advisory in comment 5 needs to be amended to refer to > version 1.3.2.22 Thanks, I made sure to refer to the correct version.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0333.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED