drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Preisgabe von Informationen in 389-ds-base
Name: |
Preisgabe von Informationen in 389-ds-base |
|
ID: |
FEDORA-2013-5349 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 17 |
|
Datum: |
Do, 13. Juni 2013, 13:19 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1897 |
|
Applikationen: |
389 Directory Server |
|
Originalnachricht |
Name : 389-ds-base Product : Fedora 17 Version : 1.2.11.21 Release : 1.fc17 URL : http://port389.org/ Summary : 389 Directory Server (base) Description : 389 Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration.
------------------------------------------------------------------------------- - Update Information:
Here is where you give an explanation of your update. This release fixes 7 critical bugs including one security bug. ------------------------------------------------------------------------------- - ChangeLog:
* Tue Apr 9 2013 Mark Reynolds <mreynolds@redhat.com> - 1.2.11.21-1 9a7ba7d bump verison to 1.2.11.21 Ticket 47318 - server fails to start after upgrade(schema error) * Thu Mar 28 2013 Noriko Hosoi <nhosoi@redhat.com> - 1.2.11.20-1 Ticket 623 - cleanAllRUV task fails to cleanup config upon completion Ticket #47308 - unintended information exposure when anonymous access is set to rootdse Ticket 628 - crash in aci evaluation Ticket #627 - ns-slapd crashes sporadically with segmentation fault in libslapd.so Ticket #634 - Deadlock in DNA plug-in f6a6514 Coverity issue 13091 Ticket 632 - 389-ds-base cannot handle Kerberos tickets with PAC Ticket 623 - cleanAllRUV task fails to cleanup config upon completion * Mon Mar 11 2013 Mark Reynolds <mreynolds@redhat.com> - 1.2.11.19-1 c535f7d bump version to 1.2.11.19 Bug 912964 - CVE-2013-0312 389-ds: unauthenticated denial of service vulnerability in handling of LDAPv3 control data Ticket 590 - ns-slapd segfaults while trying to delete a tombstone entry Ticket 518 - dse.ldif is 0 length after server kill or machine kill Ticket #579 - Error messages encountered when using POSIX winsync Ticket #576 - DNA: use event queue for config update only at the start up Ticket 367 - Invalid chaining config triggers a disk full error and shutdown Ticket 570 - DS returns error 20 when replacing values of a multi-valued attribute (only when replication is enabled) Bug 906005 - Valgrind reports memleak in modify_update_last_modified_attr Ticket #572 - PamConfig schema not updated during upgrade * Thu Jan 24 2013 Mark Reynolds <mreynolds@redhat.com> - 1.2.11.18-1 12420d9 bump version to 1.2.11.18 Ticket 556 - Don't overwrite certmap.conf during upgrade Ticket 495 - 1.2.11 - plugin dn is missing from pblock Ticket 549 - DNA plugin no longer reports additional info when range is depleted Ticket 541 - need to set plugin as off in ldif template Ticket 541 - RootDN Access Control plugin is missing after upgrade Ticket 527 - ns-slapd segfaults if it cannot rename the logs 39b0938 Coverity Issues for 1.2.11 Ticket 216 - disable replication agreements Ticket 20 - Allow automember to work on entries that have already been added 7d22bc2 Coverity Fixes Ticket 337 - improve CLEANRUV functionality Ticket 495 - internalModifiersname not updated by DNA plugin Ticket 517 - crash in DNA if no dnaMagicRegen is specified Trac Ticket #520 - RedHat Directory Server crashes (segfaults) when moving ldap entry Trac Ticket #519 - Search with a complex filter including range search is slow Trac Ticket #500 - Newly created users with organizationalPerson objectClass fails to sync from AD to DS with missing attribute error Ticket #503 - Improve AD version in winsync log message Trac Ticket #498 - Cannot abaondon simple paged result search 55997a6 Coverity defects Trac Ticket #494 - slapd entered to infinite loop during new index addition 56ebbb2 Fixing compiler warnings in the posix-winsync plugin a57d913 Coverity defects Ticket 468 - if pam_passthru is enabled, need to AC_CHECK_HEADERS([security/pam_appl.h]) Ticket 486 - nsslapd-enablePlugin should not be multivalued Ticket 488 - Doc: DS error log messages with typo Ticket #491 - multimaster_extop_cleanruv returns wrong error codes * Mon Dec 10 2012 Mark Reynolds <mreynolds@redhat.com> - 1.2.11.17-1 - 94d5ea3 bump verison to 1.2.11.17 - Ticket 527 - ns-slapd segfaults if it cannot rename the logs - 39b0938 Coverity Issues for 1.2.11 - Ticket 216 - disable replication agreements - Ticket 20 - Allow automember to work on entries that have already been added - 7d22bc2 Coverity Fixes - Ticket 337 - improve CLEANRUV functionality - Ticket 495 - internalModifiersname not updated by DNA plugin - Ticket 517 - crash in DNA if no dnaMagicRegen is specified - Trac Ticket #520 - RedHat Directory Server crashes (segfaults) when moving ldap entry - Trac Ticket #519 - Search with a complex filter including range search is slow - Trac Ticket #500 - Newly created users with organizationalPerson objectClass fails to sync from AD to DS with missing attribute error - Ticket #503 - Improve AD version in winsync log message - Trac Ticket #498 - Cannot abaondon simple paged result search - 55997a6 Coverity defects - Trac Ticket #494 - slapd entered to infinite loop during new index addition - 56ebbb2 Fixing compiler warnings in the posix-winsync plugin - a57d913 Coverity defects - Ticket 468 - if pam_passthru is enabled, need to AC_CHECK_HEADERS([security/pam_appl.h]) - Ticket 486 - nsslapd-enablePlugin should not be multivalued - Ticket 488 - Doc: DS error log messages with typo - Ticket #491 - multimaster_extop_cleanruv returns wrong error codes * Wed Oct 10 2012 Noriko Hosoi <nhosoi@redhat.com> - 1.2.11.16-1 - Ticket 340 - Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl - Ticket 446 - anonymous limits are being applied to directory manager - Ticket 478 - passwordTrackUpdateTime stops working with subtree password policies - Ticket 481 - expand nested posix groups - Ticket 485 - Dirsrv deadlock locking up IPA * Tue Sep 25 2012 Rich Megginson <rmeggins@redhat.com> - 1.2.11.15-1 - Ticket 470 - 389 prevents from adding a posixaccount with userpassword after schema reload - Ticket 477 - CLEANALLRUV if there are only winsync agmts task will hang - Ticket 457 - dirsrv init script returns 0 even when few or all instances fail to start - Ticket 473 - change VERSION.sh to have console version be major.minor - Ticket 475 - Root DN Access Control - improve value checking for config - Trac Ticket #466 - entry_apply_mod - ADD: Failed to set unhashed#user#password to extension - Ticket 474 - Root DN Access Control - days allowed not working correctly - Ticket 467 - CLEANALLRUV abort task should be able to ignore down replicas - 0b79915 fix compiler warnings in ticket 374 code - Ticket 452 - automember rebuild task adds users to groups that do not match the configuration scope * Fri Sep 7 2012 Rich Megginson <rmeggins@redhat.com> - 1.2.11.14-1 - Ticket 450 - CLEANALLRUV task gets stuck on winsync replication agreement - Ticket 386 - large memory growth with ldapmodify(heap fragmentation) - this patch doesn't fix the bug - it allows us to experiment with - different values of mxfast - Ticket #374 - consumer can go into total update mode for no reason * Tue Sep 4 2012 Rich Megginson <rmeggins@redhat.com> - 1.2.11.13-1 - Ticket #426 - support posix schema for user and group sync - 1) plugin config ldif must contain pluginid, etc. during upgrade or it - will fail due to schema errors - 2) posix winsync should have a lower precedence (25) than the default (50) - so that it will be run first - 3) posix winsync should support the Winsync API v3 - the v2 functions are - just stubs for now - but the precedence cb is active * Thu Aug 30 2012 Rich Megginson <rmeggins@redhat.com> - 1.2.11.12-1 - 8e5087a Coverity defects - 13089: Dereference after null check ldbm_back_delete - Trac Ticket #437 - variable dn should not be used in ldbm_back_delete - ba1f5b2 fix coverity resource leak in windows_plugin_add - e3e81db Simplify program flow: change while loops to for - a0d5dc0 Fix logic errors: del_mod should be latched (might not be last mod), and avoid skipping add-mods (int value 0) - 0808f7e Simplify program flow: make adduids/moduids/deluids action blocks all similar - 77eb760 Simplify program flow: eliminate unnecessary continue - c9e9db7 Memory leaks: unmatched slapi_attr_get_valueset and slapi_value_new - a4ca0cc Change "return"s in modGroupMembership to "break"s to avoid leaking - d49035c Factorize into new isPosixGroup function - 3b61c03 coverity - posix winsync mem leaks, null check, deadcode, null ref, use after free - 33ce2a9 fix mem leaks with parent dn log message, setting winsync windows domain - Ticket #440 - periodic dirsync timed event causes server to loop repeatedly - Ticket #355 - winsync should not delete entry that appears to be out of scope - Ticket 436 - nsds5ReplicaEnabled can be set with any invalid values. - 487932d coverity - mbo dead code - winsync leaks, deadcode, null check, test code - 2734a71 CLEANALLRUV coverity fixes - Ticket #426 - support posix schema for user and group sync - Ticket #430 - server to server ssl client auth broken with latest openldap * Mon Aug 20 2012 Mark Reynolds <mareynol@redhat.com> - 1.2.11.11-1 6c0778f bumped version to 1.2.11.11 Ticket 429 - added nsslapd-readonly to DS schema Ticket 403 - fix CLEANALLRUV regression from last commit Trac Ticket #346 - Slow ldapmodify operation time for large quantities of multi-valued attribute values * Wed Aug 15 2012 Mark Reynolds <mareynol@redhat.com> - 1.2.11.10-1 db6b354 bumped version to 1.2.11.10 Ticket 403 - CLEANALLRUV revisions * Tue Aug 7 2012 Mark Reynolds <mareynol@redhat.com> - 1.2.11.9-1 ea05e69 Bumped version to 1.2.11.9 Ticket 407 - dna memory leak - fix crash from prev fix * Fri Aug 3 2012 Mark Reynolds <mareynol@redhat.com> - 1.2.11.8-1 ddcf669 bump version to 1.2.11.8 for offical release Ticket #425 - support multiple winsync plugins Ticket 403 - cleanallruv coverity fixes Ticket 407 - memory leak in dna plugin Ticket 403 - CLEANALLRUV feature Ticket 413 - "Server is unwilling to perform" when running ldapmodify on nsds5ReplicaStripAttrs 3168f04 Coverity defects 5ff0a02 COVERITY FIXES Ticket #388 - Improve replication agreement status messages 0760116 Update the slapi-plugin documentation on new slapi functions, and added a slapi function for checking on shutdowns Ticket #369 - restore of replica ldif file on second master after deleting two records shows only 1 deletion Ticket #409 - Report during startup if nsslapd-cachememsize is too small Ticket #412 - memberof performance enhancement 12813: Uninitialized pointer read string_values2keys Ticket #346 - Slow ldapmodify operation time for large quantities of multi-valued attribute values Ticket #346 - Slow ldapmodify operation time for large quantities of multi-valued attribute values Ticket #410 - Referential integrity plug-in does not work when update interval is not zero Ticket #406 - Impossible to rename entry (modrdn) with Attribute Uniqueness plugin enabled Ticket #405 - referint modrdn not working if case is different Ticket 399 - slapi_ldap_bind() doesn't check bind results * Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.11.7-2.2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild * Thu Jun 28 2012 Petr Pisar <ppisar@redhat.com> - 1.2.11.7-2.1 - Perl 5.16 rebuild * Wed Jun 27 2012 Rich Megginson <rmeggins@redhat.com> - 1.2.11.7-2 - Ticket 378 - unhashed#user#password visible after changing password - fix func declaration from previous patch - Ticket 366 - Change DS to purge ticket from krb cache in case of authentication error * Wed Jun 27 2012 Rich Megginson <rmeggins@redhat.com> - 1.2.11.7-1 - Trac Ticket 396 - Account Usability Control Not Working * Thu Jun 21 2012 Rich Megginson <rmeggins@redhat.com> - 1.2.11.6-1 - Ticket #378 - audit log does not log unhashed password: enabled, by default. - Ticket #378 - unhashed#user#password visible after changing password - Ticket #365 - passwords in clear text in the audit log * Tue Jun 19 2012 Rich Megginson <rmeggins@redhat.com> - 1.2.11.5-2 - workaround for https://bugzilla.redhat.com/show_bug.cgi?id=833529 * Mon Jun 18 2012 Rich Megginson <rmeggins@redhat.com> - 1.2.11.5-1 - Ticket #387 - managed entry sometimes doesn't delete the managed entry - 5903815 improve txn test index handling - Ticket #360 - ldapmodify returns Operations error - fix delete caching - bcfa9e3 Coverity Fix for CLEANALLRUV - Trac Ticket #335 - transaction retries need to be cache aware - Ticket #389 - ADD operations not in audit log - 44cdc84 fix coverity issues with uninit vals, no return checking - Ticket 368 - Make the cleanAllRUV task one step - Ticket #110 - RFE limiting root DN by host, IP, time of day, day of week * Mon Jun 11 2012 Petr Pisar <ppisar@redhat.com> - 1.2.11.4-1.1 - Perl 5.16 rebuild * Tue May 22 2012 Rich Megginson <rmeggins@redhat.com> - 1.2.11.4-1 - Ticket #360 - ldapmodify returns Operations error - Ticket #321 - krbExtraData is being null modified and replicated on each ssh login - Trac Ticket #359 - Database RUV could mismatch the one in changelog under the stress - Ticket #361: Bad DNs in ACIs can segfault ns-slapd - Trac Ticket #338 - letters in object's cn get converted to lowercase when renaming object - Ticket #337 - Improve CLEANRUV task * Sat May 5 2012 Rich Megginson <rmeggins@redhat.com> - 1.2.11.3-1 - Ticket #358 - managed entry doesn't delete linked entry * Fri May 4 2012 Rich Megginson <rmeggins@redhat.com> - 1.2.11.2-1 - Ticket #351 - use betxn plugins by default - revert - make no plugins betxn by default - too great a risk - for deadlocks until we can test this better - Ticket #348 - crash in ldap_initialize with multiple threads - fixes PR_Init problem in ldclt ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #928105 - CVE-2013-1897 389-ds: unintended information exposure when rootdse is enabled https://bugzilla.redhat.com/show_bug.cgi?id=928105 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update 389-ds-base' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|