Bug 15440 - 389-ds-base new security issues CVE-2014-8105 and CVE-2014-8112
Summary: 389-ds-base new security issues CVE-2014-8105 and CVE-2014-8112
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/635752/
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-03-06 22:25 CET by David Walser
Modified: 2015-03-14 19:44 CET (History)
4 users (show)

See Also:
Source RPM: 389-ds-base-1.3.3.6-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-03-06 22:25:39 CET 
RedHat has issued an advisory on March 5:
https://rhn.redhat.com/errata/RHSA-2015-0416.html

It appears that both CVEs would affect Mageia 4 and Cauldron.

It's not clear if these issues are fixed upstream in 1.3.3.8:
http://www.port389.org/docs/389ds/releases/release-1-3-3-8.html

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-06 22:25:47 CET

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Thomas Spuhler 2015-03-06 23:38:42 CET 
It looks to me as if they haven't fixed it. I don't see anything in the logs. They have released 

The bug was closed yesterday. But version 1.3.3.8-2 doesn't mention anything in the change log.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8105

Let's wait a couple days and see if a new tarball shows up.

Status: NEW => ASSIGNED
Hardware: i586 => All

Comment 2 David Walser 2015-03-06 23:45:52 CET 
Yes, RedHat has a screwy way of handling their bugs.  They'll close it even if it's not fixed in Fedora yet, as long as it's fixed in RHEL.  They'll leave the Fedora tracker bug open though (if they have one).

You could also check the 1.3.3.8 code against the RHEL7 patches for these CVEs, to see if they've already been fixed:
https://git.centos.org/blob/rpms!389-ds-base.git/f92ce9efedd7e9b37e8ae8a238bdb52b276da01b/SOURCES!0033-Fix-for-CVE-2014-8105.patch
https://git.centos.org/blob/rpms!389-ds-base.git/f92ce9efedd7e9b37e8ae8a238bdb52b276da01b/SOURCES!0031-Fix-for-CVE-2014-8112.patch
Comment 3 Thomas Spuhler 2015-03-07 19:12:25 CET 
fixed in SVN (upgrade to vers 1.3.3.9) and asked for freeze push in cauldron.
I will upgrade it in mga4 after some testing.
Comment 4 David Walser 2015-03-08 21:22:25 CET 
389-ds-base-1.3.3.9-1.mga5 uploaded for Cauldron.

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 5 David Walser 2015-03-11 22:08:08 CET 
Packages currently built for Mageia 4:
389-ds-base-1.3.3.9-1.mga4
lib389-ds-base0-1.3.3.9-1.mga4
lib389-ds-base-devel-1.3.3.9-1.mga4

from 389-ds-base-1.3.3.9-1.mga4.src.rpm
Comment 6 Thomas Spuhler 2015-03-11 22:50:43 CET 
(In reply to David Walser from comment #5)
> Packages currently built for Mageia 4:
> 389-ds-base-1.3.3.9-1.mga4
> lib389-ds-base0-1.3.3.9-1.mga4
> lib389-ds-base-devel-1.3.3.9-1.mga4
> 
> from 389-ds-base-1.3.3.9-1.mga4.src.rpm

Let me test them first. They haven't been mirrored yet.
Comment 7 David Walser 2015-03-11 22:51:50 CET 
(In reply to Thomas Spuhler from comment #6)
> Let me test them first. They haven't been mirrored yet.

It's not assigned to QA yet :o)
Comment 8 Thomas Spuhler 2015-03-12 18:58:19 CET 
I did some preliminary tests:
I did a fresh install and setup-kolab. All worked fine. I didn't do an upgrade.
I am now assigning this to qa.

Assignee: thomas => qa-bugs

Comment 9 David Walser 2015-03-12 19:06:14 CET 
Thanks Thomas!

Package list in Comment 5.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=11720#c7

Advisory:
========================

Updated 389-ds-base packages fix security vulnerabilities:

An information disclosure flaw was found in the way the 389 Directory Server
stored information in the Changelog that is exposed via the 'cn=changelog'
LDAP sub-tree. An unauthenticated user could in certain cases use this flaw
to read data from the Changelog, which could include sensitive information
such as plain-text passwords (CVE-2014-8105).

It was found that when the nsslapd-unhashed-pw-switch 389 Directory Server
configuration option was set to "off", it did not prevent the writing of
unhashed passwords into the Changelog. This could potentially allow an
authenticated user able to access the Changelog to read sensitive information
(CVE-2014-8112).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8112
https://rhn.redhat.com/errata/RHSA-2015-0416.html

CC: (none) => thomas
Whiteboard: (none) => has_procedure

Comment 10 Herman Viaene 2015-03-13 10:25:32 CET 
MGA4-32 on AcerD6220 Xfce
Followed procedure as per bug11720 Comment 7
At the CLI:
# setup-ds.pl 

....skip some...

WARNING  : The warning messages above should be reviewed before proceeding.

Would you like to continue? [no]: y

==============================================================================
Choose a setup type:

   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is 
       recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]: 1

==============================================================================
....skip more....

Directory Manager DN [cn=Directory Manager]: 
Password: 
Password (confirm): 
Your new DS instance 'xxxx' was successfully created.
Exiting . . .
Log file is '/tmp/setupFBbCfB.log'

[root@xxxx ~]# systemctl start dirsrv@xxxx.service
[root@xxx ~]# systemctl status dirsrv@xxxx.service
dirsrv@xxxx.service - 389 Directory Server mach6.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled)
   Active: active (running) since vr 2015-03-13 10:15:57 CET; 1min 59s ago
  Process: 4044 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS)
 Main PID: 4046 (ns-slapd)
   CGroup: /system.slice/system-dirsrv.slice/dirsrv@mach6.service
           ââ4046 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-mach6 -i /var/run/d...

mrt 13 10:15:57 <FQDN> systemd[1]: Started 389 Directory Server....
mrt 13 10:17:31 m<FQDN> systemd[1]: Started 389 Directory Server....
Hint: Some lines were ellipsized, use -l to show in full.
[root@xxxx ~]# netstat -pant | grep 389
tcp        0      0 :::389                      :::*                        LISTEN      4046/ns-slapd       
[root@mach6 ~]# ldapsearch -x -h localhost -s base -b ""  "objectclass=*"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
#

#
dn:
objectClass: top
defaultnamingcontext: dc=hviaene,dc=thuis
dataversion: 020150313091557
netscapemdsuffix: cn=ldap://dc=mach6,dc=hviaene,dc=thuis:389

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 11 Herman Viaene 2015-03-13 11:12:45 CET 
MGA4-64 on HP-Probook 6555b KDE (Dutch)
Confirm results as above Comment 10

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 12 Rémi Verschelde 2015-03-13 11:38:09 CET 
Advisory uploaded, validating. Please push to 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 13 Mageia Robot 2015-03-14 19:44:55 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0108.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.