-----BEGIN PGP SIGNED MESSAGE-----
Red Hat Security Advisory
Synopsis: Moderate: 389-ds-base security, bug fix, and enhancement
Advisory ID: RHSA-2016:2594-02
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2594.html
Issue date: 2016-11-03
CVE Names: CVE-2016-4992 CVE-2016-5405 CVE-2016-5416
An update for 389-ds-base is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64le, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64le, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The
base packages include the Lightweight Directory Access Protocol (LDAP)
server and command-line utilities for server administration.
The following packages have been upgraded to a newer upstream version:
389-ds-base (220.127.116.11). (BZ#1270020)
* It was found that 389 Directory Server was vulnerable to a flaw in which
the default ACI (Access Control Instructions) could be read by an anonymous
user. This could lead to leakage of sensitive information. (CVE-2016-5416)
* An information disclosure flaw was found in 389 Directory Server. A user
with no access to objects in certain LDAP sub-tree could send LDAP ADD
operations with a specific object name. The error message returned to the
user was different based on whether the target object existed or not.
* It was found that 389 Directory Server was vulnerable to a remote
password disclosure via timing attack. A remote attacker could possibly use
this flaw to retrieve directory server password after many tries.
The CVE-2016-5416 issue was discovered by Viktor Ashirov (Red Hat); the
CVE-2016-4992 issue was discovered by Petr Spacek (Red Hat) and Martin
Basti (Red Hat); and the CVE-2016-5405 issue was discovered by William
Brown (Red Hat).
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section.
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
After installing this update, the 389 server service will be restarted
5. Bugs fixed (https://bugzilla.redhat.com/):
190862 - [RFE] Default password syntax settings don't work with
1018944 - [RFE] Enhance password change tracking
1143066 - [RFE] The dirsrv user/group should be created in rpm %pre, and
ideally with fixed uid/gid
1160902 - search, matching rules and filter error "unsupported type
1196282 - substring index with nssubstrbegin: 1 is not being used with filters
1209128 - [RFE] Add a utility to get the status of Directory Server instances
1210842 - Add PIDFile option to systemd service file
1223510 - nsslapd-maxbersize should be ignored in replication
1229799 - 389-ds-base: ldclt-bin killed by SIGSEGV
1249908 - No validation check for the value for nsslapd-db-locks.
1254887 - No man page entry for - option '-u' of dbgen.pl for adding
group entries with uniquemembers
1255557 - db2index creates index entry from deleted records
1257568 - /usr/lib64/dirsrv/libnunc-stans.so is owned by both -libs and -devel
1258610 - total update request must not be lost
1258611 - dna plugin needs to handle binddn groups for authorization
1259950 - Add config setting to MemberOf Plugin to add required objectclass got
1266510 - Linked Attributes plug-in - wrong behaviour when adding valid and
1266532 - Linked Attributes plug-in - won't update links after MODRDN
1267750 - pagedresults - when timed out, search results could have been already
1269378 - ds-logpipe.py with wrong arguments - python exception in the output
1270020 - Rebase 389-ds-base to 1.3.5 in RHEL-7.3
1271330 - nunc-stans: Attempt to release connection that is not acquired
1273142 - crash in Managed Entry plugin
1273549 - [RFE] Improve timestamp resolution in logs
1273550 - Deadlock between two MODs on the same entry between entry cache and
1273555 - deadlock in mep delete post op
1275763 - [RFE] add setup-ds.pl option to disable instance specific scripts
1278567 - SimplePagedResults -- abandon could happen between the abandon check
and sending results
1278584 - Share nsslapd-threadnumber in the case nunc-stans is enabled, as
1278755 - deadlock on connection mutex
1278987 - Cannot upgrade a consumer to supplier in a multimaster environment
1280123 - acl - regression - trailing ', (comma)' in macro matched
value is not removed.
1280456 - setup-ds should detect if port is already defined
1288229 - many attrlist_replace errors in connection with cleanallruv
1290101 - proxyauth support does not work when bound as directory manager
1290111 - [RFE] Support for rfc3673 '+' to return operational
1290141 - With exhausted range, part of DNA shared configuration is deleted
after server restart
1290242 - SimplePagedResults -- in the search error case, simple paged results
slot was not released.
1290600 - The 'eq' index does not get updated properly when deleting
and re-adding attributes in the same ldapmodify operation
1296310 - ldclt - segmentation fault error while binding
1301097 - logconv.pl displays negative operation speeds
1302823 - Crash in slapi_get_object_extension
1303641 - heap corruption at schema replication.
1303794 - Import readNSState.py from RichM's repo
1304682 - "stale" automember rule (associated to a removed group)
causes discrepancies in the database
1307151 - keep alive entries can break replication
1310848 - Supplier can skip a failing update, although it should retry.
1312557 - dirsrv service fails to start when nsslapd-listenhost is configured
1314557 - change severity of some messages related to "keep alive"
1314956 - moving an entry cause next on-line init to skip entry has no parent,
ending at line 0 of file "(bulk import)"
1315893 - License tag does not match actual license of code
1316328 - search returns no entry when OR filter component contains non
1316580 - dirsrv service doesn't ask for pin when pin.txt is missing
1316731 - syncrepl search returning error 329; plugin sending a bad error code
1316741 - ldctl should support -H with ldap uris
1316742 - no plugin calls in tombstone purging
1319329 - add nsslapd-auditlog-logging-enabled: off to template-dse.ldif
1320295 - If nsSSL3 is on, even if SSL v3 is not really enabled, a confusing
message is logged.
1320715 - DES to AES password conversion fails if a backend is empty
1321124 - Replication changelog can incorrectly skip over updates
1326077 - Page result search should return empty cookie if there is no returned
1326520 - db2index uses a buffer size derived from dbcachesize
1328936 - objectclass values could be dropped on the consumer
1329061 - 389-ds-base-18.104.22.168-29.el7_2 "hang"
1331343 - Paged results search returns the blank list of entries
1332533 - ns-accountstatus.pl gives error message on execution along with
1332709 - password history is not updated when an admin resets the password
1333184 - (389-ds-base-1.3.5) Fixing coverity issues.
1333515 - Enable DS to offer weaker DH params in NSS
1334455 - db2ldif is not taking into account multiple suffixes or backends
1335492 - Modifier's name is not recorded in the audit log with modrdn and
1335618 - Server ram sanity checks work in isolation
1338872 - Wrong result code display in audit-failure log
1340307 - Running db2index with no options breaks replication
1342609 - At startup DES to AES password conversion causes timeout in start
1344414 - [RFE] adding pre/post extop ability
1347760 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of
LDAP ADD operation
1349540 - CVE-2016-5416 389-ds-base: ACI readable by anonymous user
1349571 - Improve MMR replication convergence
1349577 - Values of dbcachetries/dbcachehits in cn=monitor could overflow.
1350632 - ns-slapd shutdown crashes if pwdstorageschema name is from stack.
1353592 - Setup-ds.pl --update fails
1353629 - DS shuts down automatically if dnaThreshold is set to 0 in a MMR
1353714 - If a cipher is disabled, do not attempt to look it up
1354374 - Upgrade to 389-ds-base >= 22.214.171.124 doesn't install
1354660 - flow control in replication also blocks receiving results
1355879 - nunc-stans: ns-slapd crashes during startup with SIGILL on AMD
1356261 - Fixup tombstone task needs to set proper flag when updating
1358865 - CVE-2016-5405 389-ds-base: Password verification vulnerable to timing
1360327 - remove-ds.pl deletes an instance even if wrong prefix was specified
1360447 - nsslapd-workingdir is empty when ns-slapd is started by systemd
1361134 - When fine-grained policy is applied, a sub-tree has a priority over a
user while changing password
1361321 - Duplicate collation entries
1364190 - Change example in /etc/sysconfig/dirsrv to use tcmalloc
1368520 - Crash in import_wait_for_space_in_fifo().
1368956 - man page of ns-accountstatus.pl shows redundant entries for -p port
1369537 - passwordMinAge attribute doesn't limit the minimum age of the
1369570 - cleanallruv changelog cleaning incorrectly impacts all backends
1370300 - set proper update status to replication agreement in case of failure
1371283 - Server Side Sorting crashes the server.
1371284 - Disabling CLEAR password storage scheme will crash server when
setting a password
6. Package List:
Red Hat Enterprise Linux Client Optional (v. 7):
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Red Hat Enterprise Linux Server (v. 7):
Red Hat Enterprise Linux Server Optional (v. 7):
Red Hat Enterprise Linux Workstation (v. 7):
Red Hat Enterprise Linux Workstation Optional (v. 7):
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
The Red Hat security contact is <firstname.lastname@example.org>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Enterprise-watch-list mailing list