Bug 29393 - 389-ds-base new security issue CVE-2021-3652
Summary: 389-ds-base new security issue CVE-2021-3652
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-20 17:54 CEST by David Walser
Modified: 2021-09-20 18:05 CEST (History)
2 users (show)

See Also:
Source RPM: 389-ds-base-1.4.0.26-8.mga8.src.rpm
CVE: CVE-2021-3652
Status comment:


Attachments

Description David Walser 2021-08-20 17:54:43 CEST
SUSE has issued an advisory today (August 20):
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009326.html

The issue is fixed upstream in 2.0.7:
https://bugzilla.redhat.com/show_bug.cgi?id=1982782

Mageia 8 is also affected.
David Walser 2021-08-20 17:55:10 CEST

Status comment: (none) => Fixed upstream in 2.0.7
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-08-20 18:06:44 CEST
openSUSE has issued an advisory for this today (August 20):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/E6YUB5M37IM7IMXZ65R3QTW6TPO6B3OS/
Comment 2 Lewis Smith 2021-08-20 21:34:35 CEST
This SRPM has no evident maintainer, so have to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2021-08-30 16:24:25 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Fixed crypt handling of locked accounts. (CVE-2021-3652)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3652
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009326.html
https://bugzilla.redhat.com/show_bug.cgi?id=1982782
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/E6YUB5M37IM7IMXZ65R3QTW6TPO6B3OS/
========================

Updated packages in core/updates_testing:
========================
389-ds-base-snmp-1.4.0.26-8.1.mga8
lib(64)svrcore0-1.4.0.26-8.1.mga8
lib(64)389-ds-base-devel-1.4.0.26-8.1.mga8
lib(64)svrcore-devel-1.4.0.26-8.1.mga8
lib(64)389-ds-base0-1.4.0.26-8.1.mga8
389-ds-base-1.4.0.26-8.1.mga8
cockpit-389-ds-1.4.0.26-8.1.mga8

from SRPM:
389-ds-base-1.4.0.26-8.1.mga8.src.rpm

Source RPM: 389-ds-base-1.4.0.26-9.mga9.src.rpm => 389-ds-base-1.4.0.26-8.mga8.src.rpm
CVE: (none) => CVE-2021-3652
CC: (none) => nicolas.salguero
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 2.0.7 => (none)
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)

Comment 4 Len Lawrence 2021-09-12 21:54:18 CEST
Tried this but fell at the first fence.
The setup script did not like my hostname, which is not lqdn.
localhost.localdomain is defined in the hosts file but setup does not allow you to choose a hostname and I am unwilling to change it.
Handing this over to somebody who does have an LQDN hostname.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2021-09-12 23:14:49 CEST
s/LQDN/FQDN/
Comment 6 Len Lawrence 2021-09-20 18:05:37 CEST
Updated all the packages.

Decided to go with localhost.localdomain as a temporary measure.
$ hostname
localhost.localdomain

Borrowed from bug 25824.

# setup-ds.pl
Used the [2] option for common options and set up dirsrv.
Also created a local user/administrator(?) with a name and password but have no idea what to do with her.

# systemctl start dirsrv@localhost
# systemctl status dirsrv@localhost
● dirsrv@localhost.service - 389 Directory Server localhost.
     Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor p>
     Active: active (running) since Mon 2021-09-20 16:33:46 BST; 2min 47s ago

# netstat -pant | grep 389
tcp6       0      0 :::389                  :::*                    LISTEN      2894540/ns-slapd    

# ldapsearch -x -h localhost -s base -b ""  "objectclass=*"
# extended LDIF
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
#
dn:
objectClass: top
defaultnamingcontext: dc=localdomain
dataversion: 020210920153346
netscapemdsuffix: cn=ldap://dc=localhost,dc=localdomain:389
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

$ id dirsrv
uid=954(dirsrv) gid=951(dirsrv) groups=951(dirsrv)

These results echo those of previous tests so this can be passed.

Whiteboard: (none) => MGA8-64-OK


Note You need to log in before you can comment on or make changes to this bug.