RedHat has issued an advisory on September 25: https://access.redhat.com/errata/RHSA-2018:2757 Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
CC: (none) => geiger.david68210, marja11, mrambo, smelrorAssignee: bugsquad => pkg-bugs
I guess the versions of 389-ds-base in cauldron and Mageia 6 are not vulnerable to CVE-2018-14638. The patch provided for that CVE does not apply in either package - not even close afaics. Patched package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated 389-ds-base package fixes security vulnerabilities: * a race condition on reference counter leads to DoS using persistent search (CVE-2018-10850) * ldapsearch with server side sort allows users to cause a crash (CVE-2018-10935) * a server crash through the modify command with large DN (CVE-2018-14624) References: https://access.redhat.com/errata/RHSA-2018:2757 https://bugzilla.redhat.com/show_bug.cgi?id=1588056 https://bugzilla.redhat.com/show_bug.cgi?id=1613606 https://bugzilla.redhat.com/show_bug.cgi?id=1619450 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10850 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10935 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14624 ======================== Updated packages in core/updates_testing: ======================== 389-ds-base-1.3.5.17-1.6.mga6 389-ds-base-snmp-1.3.5.17-1.6.mga6 lib64389-ds-base0-1.3.5.17-1.6.mga6 lib64389-ds-base-devel-1.3.5.17-1.6.mga6 from 389-ds-base-1.3.5.17-1.6.mga6.src.rpm Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=11720#c7 https://bugs.mageia.org/show_bug.cgi?id=16928#c7
Keywords: (none) => has_procedureWhiteboard: MGA6TOO => (none)Version: Cauldron => 6Assignee: pkg-bugs => qa-bugs
MGA6-64 Plasma on Lenovo B50 No installation issues on existing previous version. Came to same issues and solutions as per bug22466 giving results: # start-dirsrv Starting instance "mach5" There is an ns-slapd running: 7574 [root@mach5 ~]# netstat -pant | grep 389 tcp6 0 0 :::389 # ldapsearch -x -h localhost -s base -b "" "objectclass=*" # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL # # dn: objectClass: top defaultnamingcontext: dc=hviaene,dc=thuis dataversion: 020181005180703 netscapemdsuffix: cn=ldap://dc=mach5,dc=hviaene,dc=thuis:389 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 For me OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-64-OK
Validating. Suggested advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0404.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED