Bug 30175 - 389-ds-base new security issue CVE-2021-4091
Summary: 389-ds-base new security issue CVE-2021-4091
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-03-15 18:28 CET by David Walser
Modified: 2022-03-21 21:19 CET (History)
5 users (show)

See Also:
Source RPM: 389-ds-base-1.4.0.26-8.1.mga8.src.rpm
CVE: CVE-2021-4091
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-03-15 18:28:08 CET 
RedHat has issued an advisory today (March 15):
https://access.redhat.com/errata/RHSA-2022:0889

Mageia 8 is also affected.
Comment 1 Lewis Smith 2022-03-15 21:04:14 CET 
Another package with different maintainers, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-03-16 11:48:21 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash. (CVE-2021-4091)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4091
https://access.redhat.com/errata/RHSA-2022:0889
========================

Updated packages in core/updates_testing:
========================
389-ds-base-1.4.0.26-8.2.mga8
389-ds-base-snmp-1.4.0.26-8.2.mga8
cockpit-389-ds-1.4.0.26-8.2.mga8
lib(64)389-ds-base0-1.4.0.26-8.2.mga8
lib(64)389-ds-base-devel-1.4.0.26-8.2.mga8
lib(64)svrcore0-1.4.0.26-8.2.mga8
lib(64)svrcore-devel-1.4.0.26-8.2.mga8

from SRPM:
389-ds-base-1.4.0.26-8.2.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2021-4091
Version: Cauldron => 8
Source RPM: 389-ds-base-1.4.0.26-10.mga9.src.rpm => 389-ds-base-1.4.0.26-8.1.mga8.src.rpm
CC: (none) => nicolas.salguero

Comment 3 Herman Viaene 2022-03-17 16:25:19 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues
Ref bug 25824 and 22466 for testing gving sam results with final test
# ldapsearch -x -h localhost -s base -b ""  "objectclass=*"
returning:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
#

#
dn:
objectClass: top
defaultnamingcontext: dc=hviaene,dc=thuis
dataversion: 020220317151351
netscapemdsuffix: cn=ldap://dc=mach5,dc=hviaene,dc=thuis:389
OK for me

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-03-17 22:28:00 CET 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-03-21 02:20:11 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-03-21 21:19:51 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0106.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.