-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: 389-ds-base security, bug fix, and enhancement
update
Advisory ID: RHSA-2018:3127-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2018:3127
Issue date: 2018-10-30
CVE Names: CVE-2018-14648
=====================================================================
1. Summary:
An update for 389-ds-base is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64le, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) -
aarch64, ppc64le
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v.
7) - aarch64, ppc64le, s390x
3. Description:
389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The
base packages include the Lightweight Directory Access Protocol (LDAP)
server and command-line utilities for server administration.
The following packages have been upgraded to a later upstream version:
389-ds-base (1.3.8.4). (BZ#1560653)
Security Fix(es):
* 389-ds-base: Mishandled search requests in
servers/slapd/search.c:do_search() allows for denial of service
(CVE-2018-14648)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.6 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing this update, the 389 server service will be restarted
automatically.
5. Bugs fixed (https://bugzilla.redhat.com/):
1515190 - "Truncated search results" pop-up appears in user details in
WebUI
1525256 - Invalid SNMP MIB for 389 DS
1541098 - ds-replcheck: add -W option to ask for the password from stdin
instead of passing it on command line
1544477 - IPA server is not responding, all authentication and admin tests
failed
1551063 - replica_write_ruv log a failure even when it succeeds
1551065 - ds-replcheck LDIF comparision fails when checking for conflicts
1551071 - memberof fails if group is moved into scope
1552698 - replicated operations should be serialized.
1556803 - ds-replcheck command returns traceback errors against empty ldif
files when run in offline mode
1556863 - ds-replcheck command for "LDAP with StartTLS" using -Z option
should be more robust
1559945 - adjustment of csn_generator can fail so next generated csn can be
equal to the most recent one received
1560653 - Rebase 389-ds-base in RHEL 7.6 to 1.3.8
1566444 - crash in connection table / nunc-stans ?
1567042 - ns-slapd segfaults with ERR - connection_release_nolock_ext - conn=0
fd=0 Attempt to release connection that is not acquired
1568462 - disk monitoring setting the wrong default error log level
1570033 - Errors log full of " WARN - keys2idl - recieved NULL idl from
index_read_ext_allids, treating as empty set" messages
1570649 - pwdhash segfaults when CRYPT storage scheme is used
1574602 - Replication stops working when MemberOf plugin is enabled on hub and
consumer
1576485 - Upgrade script doesn't enable PBKDF password storage plug-in
1581737 - passthrough plugin configured to do starttls does not work.
1582092 - passwordMustChange attribute is not honored by a RO consumer if
"Chain on Update" is implemented on the RO consumer
1582747 - DS only accepts RSA and Fortezza cipher families
1593807 - Fine grained password policy can impact search performance
1596467 - IPA upgrade fails for latest ipa package
1597384 - Async operations can hang when the server is running nunc-stans
1597518 - ds-replcheck command returns traceback errors against ldif files
having garbage content when run in offline mode
1598186 - A search with the scope "one" returns a non-matching entry.
1598478 - If a replica is created with a bindDNGroup, this group is taken into
account only after bindDNGroupCheckInterval seconds
1598718 - import fails if backend name is "default"
1602425 - ipa user commands when used with '--random' or
'--password' option returns 'Constraint violation: Pre-Encoded passwords are not valid' error
1607078 - CVE-2018-10935 389-ds-base: ldapsearch with server side sort crashes
the ldap server [rhel-7.6]
1614501 - Disable nunc-stans by default
1614820 - 389-ds-base: Crash in vslapd_log_emergency_error [rhel-7.6]
1616412 - ipa certmap-match fails to find ipa user when altSecurityIdentities
in mapping rule
1630668 - CVE-2018-14648 389-ds-base: Mishandled search requests in
servers/slapd/search.c:do_search() allows for denial of service
6. Package List:
Red Hat Enterprise Linux Client Optional (v. 7):
Source:
389-ds-base-1.3.8.4-15.el7.src.rpm
x86_64:
389-ds-base-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-devel-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-libs-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-snmp-1.3.8.4-15.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Source:
389-ds-base-1.3.8.4-15.el7.src.rpm
x86_64:
389-ds-base-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-devel-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-libs-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-snmp-1.3.8.4-15.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
389-ds-base-1.3.8.4-15.el7.src.rpm
ppc64le:
389-ds-base-1.3.8.4-15.el7.ppc64le.rpm
389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64le.rpm
389-ds-base-libs-1.3.8.4-15.el7.ppc64le.rpm
x86_64:
389-ds-base-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-libs-1.3.8.4-15.el7.x86_64.rpm
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7):
Source:
389-ds-base-1.3.8.4-15.el7.src.rpm
aarch64:
389-ds-base-1.3.8.4-15.el7.aarch64.rpm
389-ds-base-debuginfo-1.3.8.4-15.el7.aarch64.rpm
389-ds-base-libs-1.3.8.4-15.el7.aarch64.rpm
ppc64le:
389-ds-base-1.3.8.4-15.el7.ppc64le.rpm
389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64le.rpm
389-ds-base-libs-1.3.8.4-15.el7.ppc64le.rpm
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v.
7):
Source:
389-ds-base-1.3.8.4-15.el7.src.rpm
aarch64:
389-ds-base-debuginfo-1.3.8.4-15.el7.aarch64.rpm
389-ds-base-devel-1.3.8.4-15.el7.aarch64.rpm
389-ds-base-snmp-1.3.8.4-15.el7.aarch64.rpm
ppc64le:
389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64le.rpm
389-ds-base-devel-1.3.8.4-15.el7.ppc64le.rpm
389-ds-base-snmp-1.3.8.4-15.el7.ppc64le.rpm
s390x:
389-ds-base-1.3.8.4-15.el7.s390x.rpm
389-ds-base-debuginfo-1.3.8.4-15.el7.s390x.rpm
389-ds-base-devel-1.3.8.4-15.el7.s390x.rpm
389-ds-base-libs-1.3.8.4-15.el7.s390x.rpm
389-ds-base-snmp-1.3.8.4-15.el7.s390x.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
Source:
389-ds-base-1.3.8.4-15.el7.src.rpm
ppc64:
389-ds-base-1.3.8.4-15.el7.ppc64.rpm
389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64.rpm
389-ds-base-devel-1.3.8.4-15.el7.ppc64.rpm
389-ds-base-libs-1.3.8.4-15.el7.ppc64.rpm
389-ds-base-snmp-1.3.8.4-15.el7.ppc64.rpm
ppc64le:
389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64le.rpm
389-ds-base-devel-1.3.8.4-15.el7.ppc64le.rpm
389-ds-base-snmp-1.3.8.4-15.el7.ppc64le.rpm
s390x:
389-ds-base-1.3.8.4-15.el7.s390x.rpm
389-ds-base-debuginfo-1.3.8.4-15.el7.s390x.rpm
389-ds-base-devel-1.3.8.4-15.el7.s390x.rpm
389-ds-base-libs-1.3.8.4-15.el7.s390x.rpm
389-ds-base-snmp-1.3.8.4-15.el7.s390x.rpm
x86_64:
389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-devel-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-snmp-1.3.8.4-15.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
389-ds-base-1.3.8.4-15.el7.src.rpm
x86_64:
389-ds-base-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-libs-1.3.8.4-15.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-devel-1.3.8.4-15.el7.x86_64.rpm
389-ds-base-snmp-1.3.8.4-15.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2018-14648
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/index
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBW9gQqdzjgjWX9erEAQgLQQ/9Hs/1UnWZGGjCXo5bgWBO9igqml/vo3lP
NH2/XF8Sc2VmpZJsk9WKpPOwixQDRXvGIMPsqAUqhaMGv5Z9jIjLi0wTz8SVOfyR
l079piH7sp+XPNjXkM6kiFkYBaP9yCWZ2qDBlrYWEO7MXNlNcj6qp5mlH3UTCpVC
raB+ixFxgw65IkZ6yYTU+htcKB/4XoIbnuHOWGG32Sg3MhzOiScrBNM323bSvEZf
7wSBsoydQMcNZxdHK5PbUt8Fd1EjMcE8Bgksb8MIOPeSk75FZd9CUmvg4i7eq+be
Wq5o2BBe+wwtwfmzX0/Vszz4IRJZKyk61uZWAzkc9NIv61YUkyg2qaPjcg2tNg+3
WYi2HRwIkn3KN6Epw1/TYqD5U6lIl6gMobCwMzBUn4f1KuVI1X9BUt45SVyPqqRf
aodwxbwPoO8jDlh5EX/OtoFwZtgwvNTXKpHiwC0CHRy7NEiUNvMg6IHaIHfOGCp2
TujRo6ZqeZqpEY43gkNTBvruhn+7f0ZInAGwn7U2nsCuN5iGjEiPmAfv9IjlJVz6
Q1NQkyFVLGeKKxuYmUR5k33AyB+MrEUkY1eoaABUYRhu/v1swrNt66/9eGCfuqGl
5hSOIY8Ar/GBWGsGcoFNHt/Vpbe4u3dx7pEz9u5fTNRqABnvSkg7RZw2zN4ZBU9G
5/ZKjqkY2JU=
=dHjl
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
|
