Fedora has issued an advisory on August 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D2LEPJLCLU4I6ROZM3NHIDSPKCZUF3DR/ The issue is fixed in 1.3.4.14. The issue might affect 1.3.5.x and be fixed in 1.3.5.13 as well.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since, to the best of my knowledge, the registered maintainer is unavailable.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Changed version from cauldron to 5 as this applies to both. 389-ds-base-1.3.5.13-1.mga6 has been uploaded for cauldron/6.
CC: (none) => mramboVersion: Cauldron => 5Whiteboard: MGA5TOO => (none)
Patched package uploaded for Mageia 5. Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=11720#c7 https://bugs.mageia.org/show_bug.cgi?id=16928#c7 Advisory: ======================== Updated 389-ds-base package fixes security vulnerability: A vulnerability in 389-ds-base was found that allows to bypass limitations for compare and read operations specified by Access Control Instructions. When having LDAP sub-tree with some existing objects and having BIND DN which have no privileges over objects inside the sub-tree, unprivileged user can send LDAP ADD operation specifying an object in (supposedly) inaccessible sub-tree. The returned error messages discloses the information when the queried object exists having the specified value. Attacker can use this flaw to guess values of RDN component by repeating the above process (CVE-2016-4992). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4992 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D2LEPJLCLU4I6ROZM3NHIDSPKCZUF3DR/ ======================== Updated packages in core/updates_testing: ======================== 389-ds-base-1.3.4.14-1.mga5 from 389-ds-base-1.3.4.14-1.mga5.src.rpm
Assignee: pkg-bugs => qa-bugs
Whiteboard: (none) => has_procedure
Testing M5-64 real hardware # cat /etc/hosts 127.0.0.1 localhost.localdomain localhost Following procedure https://bugs.mageia.org/show_bug.cgi?id=16928#c7 except I already had the package installed and running, so skipped the installation part. BEFORE update # systemctl status dirsrv@localhost â dirsrv@localhost.service - 389 Directory Server localhost. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled) Active: active (running) since Maw 2016-10-11 20:55:40 CEST; 10s ago Process: 4561 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS) Main PID: 4610 (ns-slapd) CGroup: /system.slice/system-dirsrv.slice/dirsrv@localhost.service ââ4610 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-localhost -i /var/r... [shown in full because it changed slightly] # netstat -pant | grep 389 tcp6 0 0 :::389 :::* LISTEN 4610/ns-slapd # ldapsearch -x -h localhost -s base -b "" "objectclass=*" # extended LDIF # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL dn: objectClass: top defaultnamingcontext: dc=localdomain dataversion: 020161011185541 netscapemdsuffix: cn=ldap://dc=localhost,dc=localdomain:389 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 AFTER update: 389-ds-base-1.3.4.14-1.mga5 lib64389-ds-base0-1.3.4.14-1.mga5 Note that the library is not in the Comment 3 pkg list; but it was in Updates Testing, and was automatically included when choosing the base package. # systemctl restart dirsrv@localhost # systemctl status dirsrv@localhost â dirsrv@localhost.service - 389 Directory Server localhost. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled) Active: active (running) since Maw 2016-10-11 21:03:05 CEST; 13s ago Process: 3377 ExecStopPost=/bin/rm -f /var/run/dirsrv/slapd-%i.pid (code=exited, status=0/SUCCESS) Process: 3426 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS) Main PID: 3448 (ns-slapd) CGroup: /system.slice/system-dirsrv.slice/dirsrv@localhost.service ââ3448 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-localhost -i /var/r... [Note the additional 2nd Process info line compared to before the update]. # netstat -pant | grep 389 [O/P essentially identical] # ldapsearch -x -h localhost -s base -b "" "objectclass=*" [O/P essentially identical] This update looks OK.
CC: (none) => lewyssmithWhiteboard: has_procedure => has_procedure MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0350.html
Status: NEW => RESOLVEDResolution: (none) => FIXED