RedHat has issued an advisory on November 3: https://rhn.redhat.com/errata/RHSA-2016-2594.html They updated to 1.3.5.10, and we recently updated Cauldron to 1.3.5.13, so I don't believe we're affected there. We also recently updated the version in Mageia 5, but I'm not sure if it contains the fixes, though it probably does.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
There are three CVEs associated with this and both RHEL6 and RHEL7 are identified as being vulnerable upstream. For reference: RHEL6 is at version 389-ds-base-1.2.11.15. RHEL7 is at version 389-ds-base-1.3.3.1. https://access.redhat.com/security/cve/CVE-2016-4992 Information disclosure via repeated use of LDAP ADD operation (low impact) https://access.redhat.com/security/cve/CVE-2016-5416 ACI readable by anonymous user (moderate impact) RHEL6 - Status is "Fix deferred" for both of these. https://access.redhat.com/security/cve/CVE-2016-5405 Password verification vulnerable to timing attack (low impact) RHEL6 - Status is "Will not fix". In all cases the RHEL7 fix is to update to 389-ds-base-1.3.5.10. As noted, cauldron is at 389-ds-base-1.3.5.13. MGA5 is at 389-ds-base-1.3.4.14. I have not been able to find sufficient information to determine whether MGA5 on version 1.3.4.14 is vulnerable to any of these.
CC: (none) => mrambo
Fedora has referenced CVE-2016-5416 in the update to 1.3.5.15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NZB7ZCJX2H7QKCPTZORYUJSHIC5X6WXW/
An update to 1.3.5.15 is pending... (so no one wastes time)
An update to 1.3.5.15 has been committed and pushed for cauldron to resolve the referenced security issues.
Status: NEW => RESOLVEDResolution: (none) => FIXED