Bug 31022 - 389-ds-base new security issue CVE-2022-2850
Summary: 389-ds-base new security issue CVE-2022-2850
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-10-25 14:32 CEST by David Walser
Modified: 2022-11-08 20:45 CET (History)
5 users (show)

See Also:
Source RPM: 389-ds-base-1.4.0.26-15.mga9.src.rpm
CVE: CVE-2022-2850
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-10-25 14:32:04 CEST 
RedHat has issued an advisory today (October 25):
https://access.redhat.com/errata/RHSA-2022:7087

Mageia 8 is also affected.
David Walser 2022-10-25 14:32:33 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-10-26 08:24:48 CEST 
Assigning to NicoalsS who has done several CVE updates to this package.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2022-11-02 14:29:31 CET 
I added two patches from CentOS 7.

For Mageia 8, the build was successful but for Cauldron the build failed when trying to link to library libldap_r, which was removed in version 2.5 of openladp.
Comment 3 David Walser 2022-11-02 17:34:29 CET 
In Cauldron, it either should be updated to a current version or dropped.  It's strange that it depends on openldap given that it's supposed to be a replacement for it.
Comment 4 Nicolas Salguero 2022-11-03 10:19:14 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514. (CVE-2022-2850)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2850
https://access.redhat.com/errata/RHSA-2022:7087
========================

Updated packages in core/updates_testing:
========================
389-ds-base-1.4.0.26-8.6.mga8
389-ds-base-snmp-1.4.0.26-8.6.mga8
cockpit-389-ds-1.4.0.26-8.6.mga8
lib(64)389-ds-base0-1.4.0.26-8.6.mga8
lib(64)389-ds-base-devel-1.4.0.26-8.6.mga8
lib(64)svrcore0-1.4.0.26-8.6.mga8
lib(64)svrcore-devel-1.4.0.26-8.6.mga8

from SRPM:
389-ds-base-1.4.0.26-8.6.mga8.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2022-2850

Comment 5 Herman Viaene 2022-11-05 13:31:23 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Ref bug 30558 Comment 2, 
# setup-ds.pl

==============================================================================
This program will set up the 389 Directory Server.

It is recommended that you have "root" privilege to set up the software.
Tips for using this  program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" or the word "back" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: etc.....

All furter results are the same, so I will not repeat the whole list.
OK for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2022-11-06 14:39:38 CET 
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-08 15:35:15 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-11-08 20:45:53 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0413.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.