RedHat has issued an advisory on October 30: https://access.redhat.com/errata/RHSA-2018:3127 The issue is fixed upstream in 1.4.0.17. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing some committers.
CC: (none) => geiger.david68210, marja11, mrambo, smelrorAssignee: bugsquad => pkg-bugs
Upgraded cauldron to 1.4.0.18. Tried to do 1.3.9.0 for Mageia 6 but couldn't get it to build. Applied an upstream patch to the existing mga6 code base that just fixes the CVE instead. Advisory: ======================== Patched 389-ds-base package fixes security vulnerability: It was discovered that mishandled search requests in servers/slapd/search.c:do_search() in 389-ds-base allows for denial of service (CVE-2018-14648). References: https://access.redhat.com/errata/RHSA-2018:3127 https://bugzilla.redhat.com/show_bug.cgi?id=1630668 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14648 ======================== Updated packages in core/updates_testing: ======================== 389-ds-base-1.3.5.17-1.7.mga6 389-ds-base-snmp-1.3.5.17-1.7.mga6 lib64389-ds-base0-1.3.5.17-1.7.mga6 lib64389-ds-base-devel-1.3.5.17-1.7.mga6 from 389-ds-base-1.3.5.17-1.7.mga6.src.rpm Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=11720#c7 https://bugs.mageia.org/show_bug.cgi?id=16928#c7
Keywords: (none) => has_procedureAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
Testing M6 x64 real hardware Test procedure ex Claire: https://bugs.mageia.org/show_bug.cgi?id=11720#c7 BEFORE update I already had installed: 389-ds-base-1.3.5.17-1.6.mga6 389-ds-base-snmp-1.3.5.17-1.6.mga6 lib64389-ds-base0-1.3.5.17-1.6.mga6 # systemctl start dirsrv@localhost failed (I did not first check whether it was already running...). # setup-ds.pl also eventually failed "Error: the server already exists at '/etc/dirsrv/slapd-localhost' Please remove it first if you really want to recreate it," which I did: # rm -rf /etc/dirsrv/slapd-localhost after which # setup-ds.pl worked OK with Express setup: "Your new DS instance 'localhost' was successfully created." Perhaps all this was unnecessary if it was running in the first place. ---------------------------------------------------------------------- # systemctl start dirsrv@localhost # systemctl status dirsrv@localhost ● dirsrv@localhost.service - 389 Directory Server localhost. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor pres Active: active (running) since Sul 2018-11-18 19:54:08 CET; 1min 18s ago Process: 22491 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl /etc/dirsrv/ Main PID: 22497 (ns-slapd) Status: "slapd started: Ready to process requests" CGroup: /system.slice/system-dirsrv.slice/dirsrv@localhost.service └─22497 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-localhost -i /var/run Tach 18 19:54:06 localhost.localdomain systemd[1]: Starting 389 Directory Server ... Tach 18 19:54:08 localhost.localdomain systemd[1]: Started 389 Directory Server # netstat -pant | grep 389 tcp6 0 0 :::389 :::* LISTEN 22497/ns-slapd # ldapsearch -x -h localhost -s base -b "" "objectclass=*" # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL # dn: objectClass: top defaultnamingcontext: dc=localdomain dataversion: 020181118185407 netscapemdsuffix: cn=ldap://dc=localhost,dc=localdomain:389 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ----------------------------------- AFTER update to: 389-ds-base-1.3.5.17-1.7.mga6 389-ds-base-snmp-1.3.5.17-1.7.mga6 lib64389-ds-base0-1.3.5.17-1.7.mga6 # systemctl restart dirsrv@localhost # systemctl status dirsrv@localhost O/P essentially the same. # netstat -pant | grep 389 O/P identical. # ldapsearch -x -h localhost -s base -b "" "objectclass=*" O/P essentially identical. Deemed OK for 64-bit.
Whiteboard: (none) => MGA6-64-OKCC: (none) => lewyssmith
Advisory done from comment 2. Validated.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0461.html
Status: NEW => RESOLVEDResolution: (none) => FIXED