Fedora has issued an advisory on October 8: https://lists.fedoraproject.org/pipermail/package-announce/2015-October/168985.html The issue was fixed upstream in 1.3.3.12: http://www.port389.org/docs/389ds/releases/release-1-3-3-12.html Fedora has updated to the newest version, 1.3.3.13: http://www.port389.org/docs/389ds/releases/release-1-3-3-13.html Reproducible: Steps to Reproduce:
this bug has been fixed by upgrade to vers. 1.3.3.13 * this fixes security issue Bug 16928 CVE-2015-3230 * this is a maintenance update and fixes a lot of other issues - See upstream announcement The following packages are in mga5, updates-testing: 389-ds-base-1.3.3.13-1.mga5.src.rpm 389-ds-base-1.3.3.13-1.mga5.x86_64.rpm lib64389-ds-base0-1.3.3.13-1.mga5.x86_64.rpm ib64389-ds-base-devel-1.3.3.13-1.mga5.x86_64.rpm 389-ds-base-debuginfo-1.3.3.13-1.mga5.x86_64.rpm and corresponding i586 packages.
Status: NEW => ASSIGNEDCC: (none) => thomasHardware: i586 => AllAssignee: thomas => qa-bugs
Thanks Thomas! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11720#c7 Advisory: ======================== Updated 389-ds-base packages fix security vulnerability: It was reported that nsSSL3Ciphers preference is not enforced server side, which allows for a potential downgrade attack to take place (CVE-2015-3230). The 389-ds-base package has been updated to version 1.3.3.13, fixing this issue and several other bugs. See the upstream release announcements for details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3230 http://www.port389.org/docs/389ds/releases/release-1-3-3-12.html http://www.port389.org/docs/389ds/releases/release-1-3-3-13.html https://lists.fedoraproject.org/pipermail/package-announce/2015-October/168985.html
Whiteboard: (none) => has_procedure
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure advisory
Trying x64. Small installation problem of inconsistency between hostname & local IP addresses: "WARNING: There are problems with the hostname. Hostname 'localhost.localdomain' is valid, but none of the IP addresses resolve back to localhost.localdomain - address 0:0:0:0:0:0:0:1 resolves to host localhost - address 127.0.0.1 resolves to host localhost Please check the spelling of the hostname and/or your network configuration. If you proceed with this hostname, you may encounter problems. Do you want to proceed with hostname 'localhost.localdomain'? [no]:" What/where should I change please?
CC: (none) => lewyssmith
/etc/hosts 127.0.0.1 localhost.localdomain localhost
CC: (none) => tmb
As far as I remember, when setting up the server, it tells you that you need a FQDN?
MGA5-32 on AcerD620 Xfce I do not find 389-ds-base-debuginfo-1.3.3.13-1 for i586. Proceeding anyway. Procedure followed as per Comment 2, confirm results therein. One side-remark: when using the Express setup, this one reported the name of the PC as mach6.xxxx.yyyy.xxxx.yyyy This in contrary to the hostname which returns mach6.xxxx.yyyy So I choose setup type 2 Typical and accept all other defaults, and the configuration works OK with that.
CC: (none) => herman.viaeneWhiteboard: has_procedure advisory => has_procedure advisory MGA-32-OK
Whiteboard: has_procedure advisory MGA-32-OK => has_procedure advisory MGA5-32-OK
Testing MGA5 x64 real hardware. Thanks Thomas for you Comment 4. Done. I followed https://bugs.mageia.org/show_bug.cgi?id=11720#c7 (as usual, thanks Claire for beating the path), # setup-ds.pl but doing a 'typical' installation since I had already abandoned a previous one. Hit the same curiosity as Herman Comment 6: "Computer name [localhost.localdomain.localdomain]: localhost.localdomain" so thanks to you for warning of this. Accepted all subsequent defaults (plus a real password). Password: Password (confirm): Your new DS instance 'localhost' was successfully created. Exiting . . . Log file is '/tmp/setupaOsgiX.log' BEFORE update: 389-ds-base-1.3.3.10-1.mga5 lib64389-ds-base0-1.3.3.10-1.mga5 # systemctl start dirsrv@localhost # systemctl status dirsrv@localhost รข dirsrv@localhost.service - 389 Directory Server localhost. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled) Active: active (running) since Iau 2015-10-15 12:26:18 CEST; 3min 26s ago ... # netstat -pant | grep 389 tcp6 0 0 :::389 :::* LISTEN 8136/ns-slapd # ldapsearch -x -h localhost -s base -b "" "objectclass=*" # extended LDIF # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL dn: ... All as per the test procedure. AFTER update: 389-ds-base-1.3.3.13-1.mga5 lib64389-ds-base0-1.3.3.13-1.mga5 # systemctl restart dirsrv@localhos # systemctl status dirsrv@localhost O/P similar to previously. # netstat -pant | grep 389 O/P identical tp previously. # ldapsearch -x -h localhost -s base -b "" "objectclass=*" O/P identical Update deemed OK.
Whiteboard: has_procedure advisory MGA5-32-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
Validating. Please push to 5 updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0402.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED