Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

      Moderate: 389-ds-base security, bug fix, and enhancement update
                              7 November 2016


        AusCERT Security Bulletin Summary

Product:           389-ds-base
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5416 CVE-2016-5405 CVE-2016-4992

Original Bulletin: 

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running 389-ds-base check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Moderate: 389-ds-base security, bug fix, and enhancement update
Advisory ID:       RHSA-2016:2594-02
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-2594.html
Issue date:        2016-11-03
CVE Names:         CVE-2016-4992 CVE-2016-5405 CVE-2016-5416 

1. Summary:

An update for 389-ds-base is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64le, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64le, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The
base packages include the Lightweight Directory Access Protocol (LDAP)
server and command-line utilities for server administration.

The following packages have been upgraded to a newer upstream version:
389-ds-base ( (BZ#1270020)

Security Fix(es):

* It was found that 389 Directory Server was vulnerable to a flaw in which
the default ACI (Access Control Instructions) could be read by an anonymous
user. This could lead to leakage of sensitive information. (CVE-2016-5416)

* An information disclosure flaw was found in 389 Directory Server. A user
with no access to objects in certain LDAP sub-tree could send LDAP ADD
operations with a specific object name. The error message returned to the
user was different based on whether the target object existed or not.

* It was found that 389 Directory Server was vulnerable to a remote
password disclosure via timing attack. A remote attacker could possibly use
this flaw to retrieve directory server password after many tries.

The CVE-2016-5416 issue was discovered by Viktor Ashirov (Red Hat); the
CVE-2016-4992 issue was discovered by Petr Spacek (Red Hat) and Martin
Basti (Red Hat); and the CVE-2016-5405 issue was discovered by William
Brown (Red Hat).

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:


After installing this update, the 389 server service will be restarted

5. Bugs fixed (https://bugzilla.redhat.com/):

190862 - [RFE] Default password syntax settings don't work with fine-grained policies
1018944 - [RFE] Enhance password change tracking
1143066 - [RFE] The dirsrv user/group should be created in rpm %pre, and ideally with fixed uid/gid
1160902 - search, matching rules and filter error "unsupported type 0xA9"
1196282 - substring index with nssubstrbegin: 1 is not being used with filters like (attr=x*)
1209128 - [RFE] Add a utility to get the status of Directory Server instances
1210842 - Add PIDFile option to systemd service file
1223510 - nsslapd-maxbersize should be ignored in replication
1229799 - 389-ds-base: ldclt-bin killed by SIGSEGV
1249908 - No validation check for the value for nsslapd-db-locks.
1254887 - No man page entry for - option '-u' of dbgen.pl for adding group entries with uniquemembers
1255557 - db2index creates index entry from deleted records
1257568 - /usr/lib64/dirsrv/libnunc-stans.so is owned by both -libs and -devel
1258610 - total update request must not be lost
1258611 - dna plugin needs to handle binddn groups for authorization
1259950 - Add config setting to MemberOf Plugin to add required objectclass got memberOf attribute
1266510 - Linked Attributes plug-in - wrong behaviour when adding valid and broken links
1266532 - Linked Attributes plug-in - won't update links after MODRDN operation
1267750 - pagedresults - when timed out, search results could have been already freed.
1269378 - ds-logpipe.py with wrong arguments - python exception in the output
1270020 - Rebase 389-ds-base to 1.3.5 in RHEL-7.3
1271330 - nunc-stans: Attempt to release connection that is not acquired
1273142 - crash in Managed Entry plugin
1273549 - [RFE] Improve timestamp resolution in logs
1273550 - Deadlock between two MODs on the same entry between entry cache and backend lock
1273555 - deadlock in mep delete post op
1275763 - [RFE] add setup-ds.pl option to disable instance specific scripts
1278567 - SimplePagedResults -- abandon could happen between the abandon check and sending results
1278584 - Share nsslapd-threadnumber in the case nunc-stans is enabled, as well.
1278755 - deadlock on connection mutex
1278987 - Cannot upgrade a consumer to supplier in a multimaster environment
1280123 - acl - regression - trailing ', (comma)' in macro matched value is not removed.
1280456 - setup-ds should detect if port is already defined
1288229 - many attrlist_replace errors in connection with cleanallruv
1290101 - proxyauth support does not work when bound as directory manager
1290111 - [RFE] Support for rfc3673 '+' to return operational attributes
1290141 - With exhausted range, part of DNA shared configuration is deleted after server restart
1290242 - SimplePagedResults -- in the search error case, simple paged results slot was not released.
1290600 - The 'eq' index does not get updated properly when deleting and re-adding attributes in the same ldapmodify operation
1296310 - ldclt - segmentation fault error while binding
1301097 - logconv.pl displays negative operation speeds
1302823 - Crash in slapi_get_object_extension
1303641 - heap corruption at schema replication.
1303794 - Import readNSState.py from RichM's repo
1304682 - "stale" automember rule (associated to a removed group) causes discrepancies in the database
1307151 - keep alive entries can break replication
1310848 - Supplier can skip a failing update, although it should retry.
1312557 - dirsrv service fails to start when nsslapd-listenhost is configured
1314557 - change severity of some messages related to "keep alive" entries
1314956 - moving an entry cause next on-line init to skip entry has no parent, ending at line 0 of file "(bulk import)"
1315893 - License tag does not match actual license of code
1316328 - search returns no entry  when OR filter component contains non readable attribute
1316580 - dirsrv service doesn't ask for pin when pin.txt is missing
1316731 - syncrepl search returning error 329; plugin sending a bad error code
1316741 - ldctl should support -H  with ldap uris
1316742 - no plugin calls in tombstone purging
1319329 - add nsslapd-auditlog-logging-enabled: off to template-dse.ldif
1320295 - If nsSSL3 is on, even if SSL v3 is not really enabled, a confusing message is logged.
1320715 - DES to AES password conversion fails if a backend is empty
1321124 - Replication changelog can incorrectly skip over updates
1326077 - Page result search should return empty cookie if there is no returned entry
1326520 - db2index uses a buffer size derived from dbcachesize
1328936 - objectclass values could be dropped on the consumer
1329061 - 389-ds-base- "hang"
1331343 - Paged results search returns the blank list of entries
1332533 - ns-accountstatus.pl gives error message on execution along with results.
1332709 - password history is not updated when an admin resets the password
1333184 - (389-ds-base-1.3.5) Fixing coverity issues.
1333515 - Enable DS to offer weaker DH params in NSS
1334455 - db2ldif is not taking into account multiple suffixes or backends
1335492 - Modifier's name is not recorded in the audit log with modrdn and moddn operations
1335618 - Server ram sanity checks work in isolation
1338872 - Wrong result code display in audit-failure log
1340307 - Running db2index with no options breaks replication
1342609 - At startup DES to AES password conversion causes timeout in start script
1344414 - [RFE] adding pre/post extop ability
1347760 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation
1349540 - CVE-2016-5416 389-ds-base: ACI readable by anonymous user
1349571 - Improve MMR replication convergence
1349577 - Values of dbcachetries/dbcachehits in cn=monitor could overflow.
1350632 - ns-slapd shutdown crashes if pwdstorageschema name is from stack.
1353592 - Setup-ds.pl --update fails
1353629 - DS shuts down automatically if dnaThreshold is set to 0 in a MMR setup
1353714 - If a cipher is disabled, do not attempt to look it up
1354374 - Upgrade to 389-ds-base >= doesn't install 389-ds-base-snmp
1354660 - flow control in replication also blocks receiving results
1355879 - nunc-stans: ns-slapd crashes during startup with SIGILL on AMD Opteron 280
1356261 - Fixup tombstone task needs to set proper flag when updating tombstones
1358865 - CVE-2016-5405 389-ds-base: Password verification vulnerable to timing attack
1360327 - remove-ds.pl deletes an instance even if wrong prefix was specified
1360447 - nsslapd-workingdir is empty when ns-slapd is started by systemd
1361134 - When fine-grained policy is applied, a sub-tree has a priority over a user while changing password
1361321 - Duplicate collation entries
1364190 - Change example in /etc/sysconfig/dirsrv to use tcmalloc
1368520 - Crash in import_wait_for_space_in_fifo().
1368956 - man page of ns-accountstatus.pl shows redundant entries for -p port option
1369537 - passwordMinAge attribute doesn't limit the minimum age of the password
1369570 - cleanallruv changelog cleaning incorrectly impacts all backends
1370300 - set proper update status to replication agreement in  case of failure
1371283 - Server Side Sorting crashes the server.
1371284 - Disabling CLEAR password storage scheme will crash server when setting a password

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):



Red Hat Enterprise Linux ComputeNode Optional (v. 7):



Red Hat Enterprise Linux Server (v. 7):





Red Hat Enterprise Linux Server Optional (v. 7):




Red Hat Enterprise Linux Workstation (v. 7):



Red Hat Enterprise Linux Workstation Optional (v. 7):


These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
Version: GnuPG v1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967