Bug 23610 - 389-ds-base new security issues CVE-2018-10850, CVE-2018-10935, CVE-2018-14624, CVE-2018-14638
Summary: 389-ds-base new security issues CVE-2018-10850, CVE-2018-10935, CVE-2018-1462...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-09-26 16:27 CEST by David Walser
Modified: 2018-10-19 20:02 CEST (History)
8 users (show)

See Also:
Source RPM: 389-ds-base-1.3.5.19-7.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-09-26 16:27:19 CEST
RedHat has issued an advisory on September 25:
https://access.redhat.com/errata/RHSA-2018:2757

Mageia 6 is also affected.
David Walser 2018-09-26 16:27:29 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-09-26 17:06:55 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => geiger.david68210, marja11, mrambo, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2018-10-04 21:01:41 CEST
I guess the versions of 389-ds-base in cauldron and Mageia 6 are not vulnerable to CVE-2018-14638. The patch provided for that CVE does not apply in either package - not even close afaics.

Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated 389-ds-base package fixes security vulnerabilities:

* a race condition on reference counter leads to DoS using persistent search (CVE-2018-10850)
* ldapsearch with server side sort allows users to cause a crash (CVE-2018-10935)
* a server crash through the modify command with large DN (CVE-2018-14624)


References:
https://access.redhat.com/errata/RHSA-2018:2757
https://bugzilla.redhat.com/show_bug.cgi?id=1588056
https://bugzilla.redhat.com/show_bug.cgi?id=1613606
https://bugzilla.redhat.com/show_bug.cgi?id=1619450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10935
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14624
========================

Updated packages in core/updates_testing:
========================
389-ds-base-1.3.5.17-1.6.mga6
389-ds-base-snmp-1.3.5.17-1.6.mga6
lib64389-ds-base0-1.3.5.17-1.6.mga6
lib64389-ds-base-devel-1.3.5.17-1.6.mga6

from 389-ds-base-1.3.5.17-1.6.mga6.src.rpm


Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=11720#c7
https://bugs.mageia.org/show_bug.cgi?id=16928#c7

Version: Cauldron => 6
Keywords: (none) => has_procedure
Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2018-10-05 20:21:54 CEST
MGA6-64 Plasma on Lenovo B50
No installation issues on existing previous version.
Came to same issues and solutions as per bug22466 giving results:
# start-dirsrv
Starting instance "mach5"
There is an ns-slapd running: 7574
[root@mach5 ~]# netstat -pant | grep 389 
tcp6       0      0 :::389  

# ldapsearch -x -h localhost -s base -b ""  "objectclass=*"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
#

#
dn:
objectClass: top
defaultnamingcontext: dc=hviaene,dc=thuis
dataversion: 020181005180703
netscapemdsuffix: cn=ldap://dc=mach5,dc=hviaene,dc=thuis:389

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

For me OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-64-OK

Comment 4 Thomas Andrews 2018-10-18 23:07:31 CEST
Validating. Suggested advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-10-19 18:09:46 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2018-10-19 20:02:08 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0404.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.