Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 547
Alerts This Week
Warning Icon 1 547

Red Hat: RHSA-2015-0416 Important Fixes for 389-ds-base Security Issues

red hat
Calendar Grey March 5, 2015
Dist Redhat Esm H88
Revised 389-ds-base components tackling critical vulnerabilities and bug-related challenges for Red Hat Enterprise Linux clientele.
Updated 389-ds-base packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7

Solution

All 389-ds-base users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing this update, the 389 server service will be restarted automatically.

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.
An information disclosure flaw was found in the way the 389 Directory Server stored information in the Changelog that is exposed via the 'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain cases use this flaw to read data from the Changelog, which could include sensitive information such as plain-text passwords. (CVE-2014-8105)
It was found that when the nsslapd-unhashed-pw-switch 389 Directory Server configuration option was set to "off", it did not prevent the writing of unhashed passwords into the Changelog. This could potentially allow an authenticated user able to access the Changelog to read sensitive information. (CVE-2014-8112)
The CVE-2014-8105 issue was discovered by Petr Špaček of the Red Hat Identity Management Engineering Team, and the CVE-2014-8112 issue was discovered by Ludwig Krispenz of the Red Hat Identity Management Engineering Team.
Enhancements:
* Added new WinSync configuration parameters: winSyncSubtreePair for synchronizing multiple subtrees, as well as winSyncWindowsFilter and winSyncDirectoryFilter for synchronizing restricted sets by filters. (BZ#746646)
* It is now possible to stop, start, or configure plug-ins without the need to restart the server for the change to take effect. (BZ#994690)
* Access control related to the MODDN and MODRDN operations has been updated: the source and destination targets can be specified in the same access control instruction. (BZ#1118014)
* The nsDS5ReplicaBindDNGroup attribute for using a group distinguished name in binding to replicas has been added. (BZ#1052754)
* WinSync now supports range retrieval. If more than the MaxValRange number of attribute values exist per attribute, WinSync synchronizes all the attributes to the directory server using the range retrieval. (BZ#1044149)
* Support for the RFC 4527 Read Entry Controls and RFC 4533 Content Synchronization Operation LDAP standards has been added. (BZ#1044139, BZ#1044159)
* The Referential Integrity (referint) plug-in can now use an alternate configuration area. The PlugInArg plug-in configuration now uses unique configuration attributes. Configuration changes no longer require a server restart. (BZ#1044203)
* The logconv.pl log analysis tool now supports gzip, bzip2, and xz compressed files and also TAR archives and compressed TAR archives of these files. (BZ#1044188)
* Only the Directory Manager could add encoded passwords or force users to change their password after a reset. Users defined in the passwordAdminDN attribute can now also do this. (BZ#1118007)
* The "nsslapd-memberofScope" configuration parameter has been added to the MemberOf plug-in. With MemberOf enabled and a scope defined, moving a group out of scope with a MODRDN operation failed. Moving a member entry out of scope now correctly removes the memberof value. (BZ#1044170)
* The alwaysRecordLoginAttr attribute has been addded to the Account Policy plug-in configuration entry, which allows to distinguish between an attribute for checking the activity of an account and an attribute to be updated at successful login. (BZ#1060032)
* A root DSE search, using the ldapsearch command with the '-s base -b ""' options, returns only the user attributes instead of the operational attributes. The "nsslapd-return-default" option has been added for backward compatibility. (BZ#1118021)
* The configuration of the MemberOf plug-in can be stored in a suffix mapped to a back-end database, which allows MemberOf configuration to be replicated. (BZ#1044205)
* Added support for the SSL versions from the range supported by the NSS library available on the system. Due to the POODLE vulnerability, SSLv3 is disabled by default even if NSS supports it. (BZ#1044191)

References

https://access.redhat.com/security/cve/CVE-2014-8105 https://access.redhat.com/security/cve/CVE-2014-8112 https://access.redhat.com/security/updates/classification#important

Package List

Red Hat Enterprise Linux Client Optional (v. 7):
Source: 389-ds-base-1.3.3.1-13.el7.src.rpm
x86_64: 389-ds-base-1.3.3.1-13.el7.x86_64.rpm 389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm 389-ds-base-devel-1.3.3.1-13.el7.x86_64.rpm 389-ds-base-libs-1.3.3.1-13.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Source: 389-ds-base-1.3.3.1-13.el7.src.rpm
x86_64: 389-ds-base-1.3.3.1-13.el7.x86_64.rpm 389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm 389-ds-base-devel-1.3.3.1-13.el7.x86_64.rpm 389-ds-base-libs-1.3.3.1-13.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: 389-ds-base-1.3.3.1-13.el7.src.rpm
x86_64: 389-ds-base-1.3.3.1-13.el7.x86_64.rpm 389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm 389-ds-base-libs-1.3.3.1-13.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
x86_64: 389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm 389-ds-base-devel-1.3.3.1-13.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: 389-ds-base-1.3.3.1-13.el7.src.rpm
x86_64: 389-ds-base-1.3.3.1-13.el7.x86_64.rpm 389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm 389-ds-base-libs-1.3.3.1-13.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: 389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm 389-ds-base-devel-1.3.3.1-13.el7.x86_64.rpm


Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2015:0416-01
Product: Red Hat Enterprise Linux
Issue date: 2015-03-05

Topic

Updated 389-ds-base packages that fix two security issues, several bugs,and add various enhancements are now available for Red Hat EnterpriseLinux 7.Red Hat Product Security has rated this update as having Important securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64

Red Hat Enterprise Linux Server (v. 7) - x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

Bugs Fixed

881372 - nsDS5BeginReplicaRefresh attribute accepts any value and it doesn't throw any error when server restarts.

920597 - Possible to add invalid ACI value

921162 - Possible to add nonexistent target to ACI

923799 - if nsslapd-cachememsize set to the number larger than the RAM available, should result in proper error message.

924937 - Attribute "dsOnlyMemberUid" not allowed when syncing nested posix groups from AD with posixWinsync

951754 - Self entry access ACI not working properly

975176 - Non-directory manager can change the individual userPassword's storage scheme

982597 - Some attributes in cn=config should not be multivalued

994690 - [RFE] Allow dynamically adding/enabling/disabling/removing plugins without requiring a server restart

1012991 - errorlog-level 16384 is listed as 0 in cn=config

1013736 - Enabling/Disabling DNA plug-in throws "ldap_modify: Server Unwilling to Perform (53)" error

1014380 - setup-ds.pl doesn't lookup the "root" group correctly

1024541 - start dirsrv after ntpd

1029959 - Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry

1031216 - add dbmon.sh

1044133 - Indexed search with filter containing '&' and "!" with attribute subtypes gives wrong result

1044134 - [RFE] should set LDAP_OPT_X_SASL_NOCANON to LDAP_OPT_ON by default

1044135 - [RFE] make connection buffer size adjustable

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.