Explore top 10 tips to secure your open-source projects now. Read More
×
All 389-ds-base users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues and add these
enhancements. After installing this update, the 389 server service will be
restarted automatically.
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
The 389 Directory Server is an LDAPv3 compliant server. The base packages
include the Lightweight Directory Access Protocol (LDAP) server and
command-line utilities for server administration.
An information disclosure flaw was found in the way the 389 Directory
Server stored information in the Changelog that is exposed via the
'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain
cases use this flaw to read data from the Changelog, which could include
sensitive information such as plain-text passwords.
(CVE-2014-8105)
It was found that when the nsslapd-unhashed-pw-switch 389 Directory Server
configuration option was set to "off", it did not prevent the writing of
unhashed passwords into the Changelog. This could potentially allow an
authenticated user able to access the Changelog to read sensitive
information. (CVE-2014-8112)
The CVE-2014-8105 issue was discovered by Petr Å paÄek of the Red Hat
Identity Management Engineering Team, and the CVE-2014-8112 issue was
discovered by Ludwig Krispenz of the Red Hat Identity Management
Engineering Team.
Enhancements:
* Added new WinSync configuration parameters: winSyncSubtreePair for
synchronizing multiple subtrees, as well as winSyncWindowsFilter and
winSyncDirectoryFilter for synchronizing restricted sets by filters.
(BZ#746646)
* It is now possible to stop, start, or configure plug-ins without the need
to restart the server for the change to take effect. (BZ#994690)
* Access control related to the MODDN and MODRDN operations has been
updated: the source and destination targets can be specified in the same
access control instruction. (BZ#1118014)
* The nsDS5ReplicaBindDNGroup attribute for using a group distinguished
name in binding to replicas has been added. (BZ#1052754)
* WinSync now supports range retrieval. If more than the MaxValRange number
of attribute values exist per attribute, WinSync synchronizes all the
attributes to the directory server using the range retrieval. (BZ#1044149)
* Support for the RFC 4527 Read Entry Controls and RFC 4533 Content
Synchronization Operation LDAP standards has been added. (BZ#1044139,
BZ#1044159)
* The Referential Integrity (referint) plug-in can now use an alternate
configuration area. The PlugInArg plug-in configuration now uses unique
configuration attributes. Configuration changes no longer require a server
restart. (BZ#1044203)
* The logconv.pl log analysis tool now supports gzip, bzip2, and xz
compressed files and also TAR archives and compressed TAR archives of these
files. (BZ#1044188)
* Only the Directory Manager could add encoded passwords or force users to
change their password after a reset. Users defined in the passwordAdminDN
attribute can now also do this. (BZ#1118007)
* The "nsslapd-memberofScope" configuration parameter has been added to the
MemberOf plug-in. With MemberOf enabled and a scope defined, moving a group
out of scope with a MODRDN operation failed. Moving a member entry out of
scope now correctly removes the memberof value. (BZ#1044170)
* The alwaysRecordLoginAttr attribute has been addded to the Account Policy
plug-in configuration entry, which allows to distinguish between an
attribute for checking the activity of an account and an attribute to be
updated at successful login. (BZ#1060032)
* A root DSE search, using the ldapsearch command with the '-s base -b ""'
options, returns only the user attributes instead of the operational
attributes. The "nsslapd-return-default" option has been added for backward
compatibility. (BZ#1118021)
* The configuration of the MemberOf plug-in can be stored in a suffix
mapped to a back-end database, which allows MemberOf configuration to be
replicated. (BZ#1044205)
* Added support for the SSL versions from the range supported by the NSS
library available on the system. Due to the POODLE vulnerability, SSLv3 is
disabled by default even if NSS supports it. (BZ#1044191)
https://access.redhat.com/security/cve/CVE-2014-8105 https://access.redhat.com/security/cve/CVE-2014-8112 https://access.redhat.com/security/updates/classification#important
Red Hat Enterprise Linux Client Optional (v. 7):
Source:
389-ds-base-1.3.3.1-13.el7.src.rpm
x86_64:
389-ds-base-1.3.3.1-13.el7.x86_64.rpm
389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm
389-ds-base-devel-1.3.3.1-13.el7.x86_64.rpm
389-ds-base-libs-1.3.3.1-13.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Source:
389-ds-base-1.3.3.1-13.el7.src.rpm
x86_64:
389-ds-base-1.3.3.1-13.el7.x86_64.rpm
389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm
389-ds-base-devel-1.3.3.1-13.el7.x86_64.rpm
389-ds-base-libs-1.3.3.1-13.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
389-ds-base-1.3.3.1-13.el7.src.rpm
x86_64:
389-ds-base-1.3.3.1-13.el7.x86_64.rpm
389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm
389-ds-base-libs-1.3.3.1-13.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
x86_64:
389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm
389-ds-base-devel-1.3.3.1-13.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
389-ds-base-1.3.3.1-13.el7.src.rpm
x86_64:
389-ds-base-1.3.3.1-13.el7.x86_64.rpm
389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm
389-ds-base-libs-1.3.3.1-13.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm
389-ds-base-devel-1.3.3.1-13.el7.x86_64.rpm
Read the Full Advisory
Updated 389-ds-base packages that fix two security issues, several bugs,and add various enhancements are now available for Red Hat EnterpriseLinux 7.Red Hat Product Security has rated this update as having Important securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
881372 - nsDS5BeginReplicaRefresh attribute accepts any value and it doesn't throw any error when server restarts.
920597 - Possible to add invalid ACI value
921162 - Possible to add nonexistent target to ACI
923799 - if nsslapd-cachememsize set to the number larger than the RAM available, should result in proper error message.
924937 - Attribute "dsOnlyMemberUid" not allowed when syncing nested posix groups from AD with posixWinsync
951754 - Self entry access ACI not working properly
975176 - Non-directory manager can change the individual userPassword's storage scheme
982597 - Some attributes in cn=config should not be multivalued
994690 - [RFE] Allow dynamically adding/enabling/disabling/removing plugins without requiring a server restart
1012991 - errorlog-level 16384 is listed as 0 in cn=config
1013736 - Enabling/Disabling DNA plug-in throws "ldap_modify: Server Unwilling to Perform (53)" error
1014380 - setup-ds.pl doesn't lookup the "root" group correctly
1024541 - start dirsrv after ntpd
1029959 - Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry
1031216 - add dbmon.sh
1044133 - Indexed search with filter containing '&' and "!" with attribute subtypes gives wrong result
1044134 - [RFE] should set LDAP_OPT_X_SASL_NOCANON to LDAP_OPT_ON by default
1044135 - [RFE] make connection buffer size adjustable
Get the latest Linux and open source security news straight to your inbox.