SUSE has issued an advisory on August 15: http://lists.suse.com/pipermail/sle-security-updates/2019-August/005817.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
There is no official maintainer for this pkg, so assigning the bug globally. CC'ing Jani & DavidG as recent committers.
CC: (none) => geiger.david68210, jani.valimaaAssignee: bugsquad => pkg-bugs
Another CVE: CVE-2019-14824 (https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-0-31.html)
CC: (none) => nicolas.salgueroSummary: 389-ds-base new security issues CVE-2018-1054, CVE-2018-10871, CVE-2019-3883 => 389-ds-base new security issues CVE-2018-1054, CVE-2018-10871, CVE-2019-3883, CVE-2019-14824
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An out-of-bounds memory read flaw was found in the way 389-ds-base handled certain LDAP search filters, affecting all versions including 1.4.x. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service. (CVE-2018-1054) 389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords. (CVE-2018-10871) In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service. (CVE-2019-3883) A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes. (CVE-2019-14824) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1054 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10871 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3883 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14824 http://lists.suse.com/pipermail/sle-security-updates/2019-August/005817.html https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-0-31.html ======================== Updated packages in core/updates_testing: ======================== 389-ds-base-1.4.0.26-1.mga7 lib(64)389-ds-base0-1.4.0.26-1.mga7 lib(64)389-ds-base-devel-1.4.0.26-1.mga7 389-ds-base-snmp-1.4.0.26-1.mga7 cockpit-389-ds-1.4.0.26-1.mga7 lib(64)svrcore0-1.4.0.26-1.mga7 lib(64)svrcore-devel-1.4.0.26-1.mga7 from SRPMS: 389-ds-base-1.4.0.26-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7Assignee: pkg-bugs => qa-bugsSource RPM: 389-ds-base-1.4.0.18-5.mga8.src.rpm => 389-ds-base-1.4.0.18-4.1.mga7.src.rpmStatus: NEW => ASSIGNEDCVE: (none) => CVE-2018-1054, CVE-2018-10871, CVE-2019-3883, CVE-2019-14824
Bug 25709 is also affected to QA Team.
Blocks: (none) => 25709
Thanks. Please add a note about that other bug to the advisory.
Suggested advisory: ======================== The updated packages fix security vulnerabilities and a packaging problem: An out-of-bounds memory read flaw was found in the way 389-ds-base handled certain LDAP search filters, affecting all versions including 1.4.x. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service. (CVE-2018-1054) 389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords. (CVE-2018-10871) In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service. (CVE-2019-3883) A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes. (CVE-2019-14824) There were conflicts between files from svrcore and 389-ds-base which prevented the installation of 389-ds. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1054 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10871 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3883 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14824 http://lists.suse.com/pipermail/sle-security-updates/2019-August/005817.html https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-0-31.html https://bugs.mageia.org/show_bug.cgi?id=25709 ======================== Updated packages in core/updates_testing: ======================== 389-ds-base-1.4.0.26-1.mga7 lib(64)389-ds-base0-1.4.0.26-1.mga7 lib(64)389-ds-base-devel-1.4.0.26-1.mga7 389-ds-base-snmp-1.4.0.26-1.mga7 cockpit-389-ds-1.4.0.26-1.mga7 lib(64)svrcore0-1.4.0.26-1.mga7 lib(64)svrcore-devel-1.4.0.26-1.mga7 from SRPMS: 389-ds-base-1.4.0.26-1.mga7.src.rpm
MGA7-64 Plasma on LenovoB50 Trying to install updates using QARepo I get: Sorry, het volgende pakket is niet selecteerbaar: cannot be selected - 389-ds-base-1.4.0.26-1.mga7.x86_64 (due to missing libns-dshttpd-1.4.0.26.so()(64bit))
CC: (none) => herman.viaene
Hi, According to the spec file, that dependency is provided by lib64389-ds-base-devel. Best regards, Nico.
This does mean the base pacckage cannot be installed without the devel. Isn't that a bit ... let"s say uncommon?
(In reply to Herman Viaene from comment #9) > This does mean the base pacckage cannot be installed without the devel. > Isn't that a bit ... let"s say uncommon? Yep. a "normal" package should not depend on devel packages, thats a packaging error.
CC: (none) => tmb
MGA7-64 Plasma on Lenovo B50 After adding the lib64389-ds-base-devel, the installation went OK. Ref bug 22466 Comments 3 and 4: had exaclty the same situation and feedback from the commands. Just to make a resumé: # setup-ds.pl works OK # systemctl start dirsrv@localhost loads, but fails o start but # start-dirsrv is OK and # netstat -pant | grep 389 tcp6 0 0 :::389 :::* LISTEN 32467/ns-slapd # ldapsearch -x -h localhost -s base -b "" "objectclass=*" give positive feedback So OK'ing on same results.
Whiteboard: (none) => MGA7-64-OK
389-ds-base-1.4.0.26-1.1.mga7 will solve the packaging issue. Updated packages in core/updates_testing: ======================== 389-ds-base-1.4.0.26-1.1.mga7 lib(64)389-ds-base0-1.4.0.26-1.1.mga7 lib(64)389-ds-base-devel-1.4.0.26-1.1.mga7 389-ds-base-snmp-1.4.0.26-1.1.mga7 cockpit-389-ds-1.4.0.26-1.1.mga7 lib(64)svrcore0-1.4.0.26-1.1.mga7 lib(64)svrcore-devel-1.4.0.26-1.1.mga7 from SRPMS: 389-ds-base-1.4.0.26-1.1.mga7.src.rpm
Whiteboard: MGA7-64-OK => (none)
Installed the new version, maing sure the 2 devel packages are not in QARepo. Installation works OK Repated same tests as above with same OK results.
Keywords: (none) => advisory
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0411.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2019-10224 (fixed in 1.4.0.23): https://pagure.io/389-ds-base/c/632ecb90d96ac0535656f5aaf67fd2be4b81d310 https://pagure.io/389-ds-base/releases
*** Bug 28147 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu