Sigurnosni nedostatak programskog paketa 389-ds-base

Preporuke

by - 30. listopada 2018.0

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: 389-ds-base security, bug fix, and enhancement update
Advisory ID: RHSA-2018:3127-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2018:3127
Issue date: 2018-10-30
CVE Names: CVE-2018-14648
=====================================================================

1. Summary:

An update for 389-ds-base is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) – x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) – x86_64
Red Hat Enterprise Linux Server (v. 7) – ppc64le, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) – ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) – x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) – x86_64
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) – aarch64, ppc64le
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) – aarch64, ppc64le, s390x

3. Description:

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The
base packages include the Lightweight Directory Access Protocol (LDAP)
server and command-line utilities for server administration.

The following packages have been upgraded to a later upstream version:
389-ds-base (1.3.8.4). (BZ#1560653)

Security Fix(es):

* 389-ds-base: Mishandled search requests in
servers/slapd/search.c:do_search() allows for denial of service
(CVE-2018-14648)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.6 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the 389 server service will be restarted
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1515190 – “Truncated search results” pop-up appears in user details in WebUI
1525256 – Invalid SNMP MIB for 389 DS
1541098 – ds-replcheck: add -W option to ask for the password from stdin instead of passing it on command line
1544477 – IPA server is not responding, all authentication and admin tests failed
1551063 – replica_write_ruv log a failure even when it succeeds
1551065 – ds-replcheck LDIF comparision fails when checking for conflicts
1551071 – memberof fails if group is moved into scope
1552698 – replicated operations should be serialized.
1556803 – ds-replcheck command returns traceback errors against empty ldif files when run in offline mode
1556863 – ds-replcheck command for “LDAP with StartTLS” using -Z option should be more robust
1559945 – adjustment of csn_generator can fail so next generated csn can be equal to the most recent one received
1560653 – Rebase 389-ds-base in RHEL 7.6 to 1.3.8
1566444 – crash in connection table / nunc-stans ?
1567042 – ns-slapd segfaults with ERR – connection_release_nolock_ext – conn=0 fd=0 Attempt to release connection that is not acquired
1568462 – disk monitoring setting the wrong default error log level
1570033 – Errors log full of ” WARN – keys2idl – recieved NULL idl from index_read_ext_allids, treating as empty set” messages
1570649 – pwdhash segfaults when CRYPT storage scheme is used
1574602 – Replication stops working when MemberOf plugin is enabled on hub and consumer
1576485 – Upgrade script doesn’t enable PBKDF password storage plug-in
1581737 – passthrough plugin configured to do starttls does not work.
1582092 – passwordMustChange attribute is not honored by a RO consumer if “Chain on Update” is implemented on the RO consumer
1582747 – DS only accepts RSA and Fortezza cipher families
1593807 – Fine grained password policy can impact search performance
1596467 – IPA upgrade fails for latest ipa package
1597384 – Async operations can hang when the server is running nunc-stans
1597518 – ds-replcheck command returns traceback errors against ldif files having garbage content when run in offline mode
1598186 – A search with the scope “one” returns a non-matching entry.
1598478 – If a replica is created with a bindDNGroup, this group is taken into account only after bindDNGroupCheckInterval seconds
1598718 – import fails if backend name is “default”
1602425 – ipa user commands when used with ‘–random’ or ‘–password’ option returns ‘Constraint violation: Pre-Encoded passwords are not valid’ error
1607078 – CVE-2018-10935 389-ds-base: ldapsearch with server side sort crashes the ldap server [rhel-7.6]
1614501 – Disable nunc-stans by default
1614820 – 389-ds-base: Crash in vslapd_log_emergency_error [rhel-7.6]
1616412 – ipa certmap-match fails to find ipa user when altSecurityIdentities in mapping rule
1630668 – CVE-2018-14648 389-ds-base: Mishandled search requests in servers/slapd/search.c:do_search() allows for denial of service

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):