33301 – 389-ds-base new security issues CVE-2024-3657 and CVE-2024-2199

Bug 33301 - 389-ds-base new security issues CVE-2024-3657 and CVE-2024-2199

Summary: 389-ds-base new security issues CVE-2024-3657 and CVE-2024-2199

Status:	NEW

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	All Packagers
QA Contact:	Sec team

URL:
Whiteboard:	MGA9TOO
Keywords:

Depends on:
Blocks:

Reported:	2024-06-13 09:45 CEST by Nicolas Salguero
Modified:	2024-06-13 21:05 CEST (History)
CC List:	0 users

See Also:
Source RPM:	389-ds-base-1.4.0.26-19.mga10.src.rpm
CVE:	CVE-2024-3657, CVE-2024-2199
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-06-13 09:45:45 CEST

RedHat has issued an advisory on June 12:
https://lwn.net/Articles/978093/

Mageia 9 is also affected.

Nicolas Salguero 2024-06-13 09:46:31 CEST

Source RPM: (none) => 389-ds-base-1.4.0.26-19.mga10.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-3657, CVE-2024-2199

Comment 1 Lewis Smith 2024-06-13 21:05:57 CEST

An update for 389-ds-base is now available for Red Hat Enterprise Linux 9
"description"
"A denial of service vulnerability was found in 389-ds-base ldap server. This issue may allow an authenticated user to cause a server crash while modifying `userPassword` using malformed input."
ns-slapd crashing in ldap_mods_free()

I cannot find the correction...

BTAIM assigning this globally.

Assignee: bugsquad => pkg-bugs

Note You need to log in before you can comment on or make changes to this bug.