SUSE has issued an advisory today (August 20): https://lists.suse.com/pipermail/sle-security-updates/2021-August/009326.html The issue is fixed upstream in 2.0.7: https://bugzilla.redhat.com/show_bug.cgi?id=1982782 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 2.0.7
openSUSE has issued an advisory for this today (August 20): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/E6YUB5M37IM7IMXZ65R3QTW6TPO6B3OS/
This SRPM has no evident maintainer, so have to assign this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: Fixed crypt handling of locked accounts. (CVE-2021-3652) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3652 https://lists.suse.com/pipermail/sle-security-updates/2021-August/009326.html https://bugzilla.redhat.com/show_bug.cgi?id=1982782 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/E6YUB5M37IM7IMXZ65R3QTW6TPO6B3OS/ ======================== Updated packages in core/updates_testing: ======================== 389-ds-base-snmp-1.4.0.26-8.1.mga8 lib(64)svrcore0-1.4.0.26-8.1.mga8 lib(64)389-ds-base-devel-1.4.0.26-8.1.mga8 lib(64)svrcore-devel-1.4.0.26-8.1.mga8 lib(64)389-ds-base0-1.4.0.26-8.1.mga8 389-ds-base-1.4.0.26-8.1.mga8 cockpit-389-ds-1.4.0.26-8.1.mga8 from SRPM: 389-ds-base-1.4.0.26-8.1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDSource RPM: 389-ds-base-1.4.0.26-9.mga9.src.rpm => 389-ds-base-1.4.0.26-8.mga8.src.rpmCVE: (none) => CVE-2021-3652Status comment: Fixed upstream in 2.0.7 => (none)CC: (none) => nicolas.salgueroVersion: Cauldron => 8Assignee: pkg-bugs => qa-bugs
Tried this but fell at the first fence. The setup script did not like my hostname, which is not lqdn. localhost.localdomain is defined in the hosts file but setup does not allow you to choose a hostname and I am unwilling to change it. Handing this over to somebody who does have an LQDN hostname.
CC: (none) => tarazed25
s/LQDN/FQDN/
Updated all the packages. Decided to go with localhost.localdomain as a temporary measure. $ hostname localhost.localdomain Borrowed from bug 25824. # setup-ds.pl Used the [2] option for common options and set up dirsrv. Also created a local user/administrator(?) with a name and password but have no idea what to do with her. # systemctl start dirsrv@localhost # systemctl status dirsrv@localhost ● dirsrv@localhost.service - 389 Directory Server localhost. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor p> Active: active (running) since Mon 2021-09-20 16:33:46 BST; 2min 47s ago # netstat -pant | grep 389 tcp6 0 0 :::389 :::* LISTEN 2894540/ns-slapd # ldapsearch -x -h localhost -s base -b "" "objectclass=*" # extended LDIF # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL # dn: objectClass: top defaultnamingcontext: dc=localdomain dataversion: 020210920153346 netscapemdsuffix: cn=ldap://dc=localhost,dc=localdomain:389 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 $ id dirsrv uid=954(dirsrv) gid=951(dirsrv) groups=951(dirsrv) These results echo those of previous tests so this can be passed.
Whiteboard: (none) => MGA8-64-OK
Thank you, Len. Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0440.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED