Bug 25286 - openldap new security issues CVE-2019-13057 and CVE-2019-13565
Summary: openldap new security issues CVE-2019-13057 and CVE-2019-13565
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 24076
  Show dependency treegraph
 
Reported: 2019-08-12 01:31 CEST by David Walser
Modified: 2019-09-15 16:46 CEST (History)
4 users (show)

See Also:
Source RPM: openldap-2.4.47-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-08-12 01:31:59 CEST
Ubuntu has issued an advisory on July 30:
https://usn.ubuntu.com/4078-1/

The issues are fixed upstream in 2.4.48.

Mageia 6 is also affected.
David Walser 2019-08-12 01:32:18 CEST

Blocks: (none) => 24076
Whiteboard: (none) => MGA6TOO

Comment 1 Buchan Milne 2019-08-18 21:03:11 CEST
Patches required added in (currently building):
 openldap-2.4.45-2.1.mga6
 openldap-2.4.47-3.1.mga7

CC: (none) => bgmilne
Assignee: bgmilne => qa-bugs

Comment 2 David Walser 2019-08-18 22:50:20 CEST
What about Bug 24076?
Comment 3 Herman Viaene 2019-09-05 11:37:27 CEST
MGA-6-64  Plasma on Lenovo B50
Hunting for the packages to install, I found these
lib64ldap2.4_2-2.4.45-2.1.mga6.x86_64
- openldap-back_bdb-2.4.45-2.1.mga6.x86_64
- openldap-back_mdb-2.4.45-2.1.mga6.x86_64
- openldap-back_sql-2.4.45-2.1.mga6.x86_64
- openldap-clients-2.4.45-2.1.mga6.x86_64
- openldap-doc-2.4.45-2.1.mga6.x86_64
- openldap-extra-schemas-1.3-18.mga6.noarch
- openldap-servers-2.4.45-2.1.mga6.x86_64
- openldap-testprogs-2.4.45-2.1.mga6.x86_64
- openldap-tests-2.4.45-2.1.mga6.x86_64
No problems installing
# systemctl  start slapd
# systemctl -l status slapd
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: enabled)
   Active: active (running) since do 2019-09-05 11:34:25 CEST; 4s ago
  Process: 2273 ExecStart=/usr/sbin/slapd -u ${LDAP_USER} -g ${LDAP_GROUP} -h ${SLAPDURLLIST} -l ${SLAPDSYSLOGLOCALUSER} -s ${SLAPDSYSLOGLEVEL} (code=exite
  Process: 2191 ExecStartPre=/usr/share/openldap/scripts/ldap-config check (code=exited, status=0/SUCCESS)
 Main PID: 2275 (slapd)
   CGroup: /system.slice/slapd.service
           └─2275 /usr/sbin/slapd -u ldap -g ldap -h ldap:/// ldapi:/// -l local4 -s 0

sep 05 11:34:24 mach5.hviaene.thuis systemd[1]: Starting OpenLDAP Server Daemon...
sep 05 11:34:24 mach5.hviaene.thuis su[2210]: (to ldap) root on none
sep 05 11:34:25 mach5.hviaene.thuis ldap-config[2191]: Checking config file /etc/openldap/slapd.conf: [  OK  ]
sep 05 11:34:25 mach5.hviaene.thuis systemd[1]: Started OpenLDAP Server Daemon.
Looking for some more tests.

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2019-09-05 12:23:20 CEST
Found loads of info at https://wiki.cdot.senecacollege.ca/wiki/OpenLDAP_Installation_and_Test
too much for my liking, so just skipped all the configuration stuff and went straight to the testing commands :
$ ldapsearch -x -b ** -s base supportedFeatures
# extended LDIF
#
# LDAPv3
# base <Afbeeldingen> with scope baseObject
# filter: (objectclass=*)
# requesting: Bureaublad Documenten Downloads Muziek pgadmin.log project Sjablonen svn tmp Video's supportedFeatures 
#

# search result
search: 2
result: 34 Invalid DN syntax
text: invalid DN

# numResponses: 1

$ ldapsearch -x -b ** -s base supportedControl
# extended LDIF
#
# LDAPv3
# base <Afbeeldingen> with scope baseObject
# filter: (objectclass=*)
# requesting: Bureaublad Documenten Downloads Muziek pgadmin.log project Sjablonen svn tmp Video's supportedControl 
#

# search result
search: 2
result: 34 Invalid DN syntax
text: invalid DN

# numResponses: 1

$ ldapsearch -x -b ** -s base supportedExtension
# extended LDIF
#
# LDAPv3
# base <Afbeeldingen> with scope baseObject
# filter: (objectclass=*)
# requesting: Bureaublad Documenten Downloads Muziek pgadmin.log project Sjablonen svn tmp Video's supportedExtension 
#

# search result
search: 2
result: 34 Invalid DN syntax
text: invalid DN

# numResponses: 1

$ ldapsearch -x -W -D 'cn=Manager,dc=ops535,dc=com' -b // -s base
Enter LDAP Password: 
ldap_bind: Server is unwilling to perform (53)
        additional info: unauthenticated bind (DN with no password) disallowed

Output seems sensible. OK'ing unless someone else finds this is not enough.

Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK

Comment 5 Buchan Milne 2019-09-05 21:20:15 CEST
> ldapsearch -x -b ** -s base supportedFeatures

The ** should be ''

ldapsearch -x -b '' -s base supportedFeatures

Your shell expanded the * to files in the directory you ran the command from.

Any further testing would require a bit more configuration, and population of some data (I think beyond the scope of this bug, but we should consider better "integration tests" for future).

However, the openldap-tests package contains the upstream test-suite, in a format that can be used to run them as non-root, e.g.:

sudo rurpmi openldap-tests
make -C /usr/share/openldap/tests test

(more options exist to limit the backends tested etc., by default it runs all default tests for all supported backends)

(we used to run this at build time, but they take too long on the build system especially on arm, and sometimes fail the more complex tests due to load on the build system)

Replying to David:
> What about Bug 24076?

I propose dropping the nops overlay. I'll do that now in cauldron.
Comment 6 Herman Viaene 2019-09-14 12:05:01 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
# systemctl  start slapd
# systemctl -l status slapd
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2019-09-14 11:35:49 CEST; 14s ago
  Process: 10270 ExecStartPre=/usr/share/openldap/scripts/ldap-config check (code=exited, status=0/SUCCESS)
  Process: 10310 ExecStart=/usr/sbin/slapd -u ${LDAP_USER} -g ${LDAP_GROUP} -h ${SLAPDURLLIST} -l ${SLAPDSYSLOGLOCALUSER} -s ${SL>
 Main PID: 10311 (slapd)
   Memory: 4.8M
   CGroup: /system.slice/slapd.service
           └─10311 /usr/sbin/slapd -u ldap -g ldap -h ldap:/// ldapi:/// -l local4 -s 0

sep 14 11:35:49 mach5.hviaene.thuis systemd[1]: Starting OpenLDAP Server Daemon...
sep 14 11:35:49 mach5.hviaene.thuis su[10278]: (to ldap) root on none
sep 14 11:35:49 mach5.hviaene.thuis su[10278]: pam_unix(su:session): session opened for user ldap by (uid=0)
sep 14 11:35:49 mach5.hviaene.thuis su[10278]: pam_unix(su:session): session closed for user ldap
sep 14 11:35:49 mach5.hviaene.thuis ldap-config[10270]: Checking config file /etc/openldap/slapd.conf: [  OK  ]
sep 14 11:35:49 mach5.hviaene.thuis systemd[1]: Started OpenLDAP Server Daemon.

Then
$ ldapsearch -x -b '' -s base supportedFeatures
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedFeatures 
#

#
dn:
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

and 
$ make -C /usr/share/openldap/tests test       
make: Map '/usr/share/openldap/tests' wordt binnengegaan
make[1]: Map '/usr/share/openldap/tests' wordt binnengegaan
Initiating LDAP tests for BDB...
Cleaning up test run directory leftover from previous run.
Running ./scripts/all for bdb...
>>>>> Executing all LDAP tests for bdb
>>>>> Starting test000-rootdse for bdb...
running defines.sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve the root DSE...
Using ldapsearch to retrieve the cn=Subschema...
Using ldapsearch to retrieve the cn=Monitor...
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: o=OpenLDAP Project,l=Internet
monitorContext: cn=Monitor
and loads more ....
I could not see any error popping up,
so OK forme.

Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

Thomas Backlund 2019-09-15 15:38:10 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 7 Mageia Robot 2019-09-15 16:46:41 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0280.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.