Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2618 Moderate: 389-ds-base security, bug fix, and enhancement update 7 November 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: 389-ds-base Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-5416 CVE-2016-5405 CVE-2016-4992 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2016-2594.html Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running 389-ds-base check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: 389-ds-base security, bug fix, and enhancement update Advisory ID: RHSA-2016:2594-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2594.html Issue date: 2016-11-03 CVE Names: CVE-2016-4992 CVE-2016-5405 CVE-2016-5416 ===================================================================== 1. Summary: An update for 389-ds-base is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64le, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64le, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. The following packages have been upgraded to a newer upstream version: 389-ds-base (1.3.5.10). (BZ#1270020) Security Fix(es): * It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI (Access Control Instructions) could be read by an anonymous user. This could lead to leakage of sensitive information. (CVE-2016-5416) * An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not. (CVE-2016-4992) * It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries. (CVE-2016-5405) The CVE-2016-5416 issue was discovered by Viktor Ashirov (Red Hat); the CVE-2016-4992 issue was discovered by Petr Spacek (Red Hat) and Martin Basti (Red Hat); and the CVE-2016-5405 issue was discovered by William Brown (Red Hat). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, the 389 server service will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 190862 - [RFE] Default password syntax settings don't work with fine-grained policies 1018944 - [RFE] Enhance password change tracking 1143066 - [RFE] The dirsrv user/group should be created in rpm %pre, and ideally with fixed uid/gid 1160902 - search, matching rules and filter error "unsupported type 0xA9" 1196282 - substring index with nssubstrbegin: 1 is not being used with filters like (attr=x*) 1209128 - [RFE] Add a utility to get the status of Directory Server instances 1210842 - Add PIDFile option to systemd service file 1223510 - nsslapd-maxbersize should be ignored in replication 1229799 - 389-ds-base: ldclt-bin killed by SIGSEGV 1249908 - No validation check for the value for nsslapd-db-locks. 1254887 - No man page entry for - option '-u' of dbgen.pl for adding group entries with uniquemembers 1255557 - db2index creates index entry from deleted records 1257568 - /usr/lib64/dirsrv/libnunc-stans.so is owned by both -libs and -devel 1258610 - total update request must not be lost 1258611 - dna plugin needs to handle binddn groups for authorization 1259950 - Add config setting to MemberOf Plugin to add required objectclass got memberOf attribute 1266510 - Linked Attributes plug-in - wrong behaviour when adding valid and broken links 1266532 - Linked Attributes plug-in - won't update links after MODRDN operation 1267750 - pagedresults - when timed out, search results could have been already freed. 1269378 - ds-logpipe.py with wrong arguments - python exception in the output 1270020 - Rebase 389-ds-base to 1.3.5 in RHEL-7.3 1271330 - nunc-stans: Attempt to release connection that is not acquired 1273142 - crash in Managed Entry plugin 1273549 - [RFE] Improve timestamp resolution in logs 1273550 - Deadlock between two MODs on the same entry between entry cache and backend lock 1273555 - deadlock in mep delete post op 1275763 - [RFE] add setup-ds.pl option to disable instance specific scripts 1278567 - SimplePagedResults -- abandon could happen between the abandon check and sending results 1278584 - Share nsslapd-threadnumber in the case nunc-stans is enabled, as well. 1278755 - deadlock on connection mutex 1278987 - Cannot upgrade a consumer to supplier in a multimaster environment 1280123 - acl - regression - trailing ', (comma)' in macro matched value is not removed. 1280456 - setup-ds should detect if port is already defined 1288229 - many attrlist_replace errors in connection with cleanallruv 1290101 - proxyauth support does not work when bound as directory manager 1290111 - [RFE] Support for rfc3673 '+' to return operational attributes 1290141 - With exhausted range, part of DNA shared configuration is deleted after server restart 1290242 - SimplePagedResults -- in the search error case, simple paged results slot was not released. 1290600 - The 'eq' index does not get updated properly when deleting and re-adding attributes in the same ldapmodify operation 1296310 - ldclt - segmentation fault error while binding 1301097 - logconv.pl displays negative operation speeds 1302823 - Crash in slapi_get_object_extension 1303641 - heap corruption at schema replication. 1303794 - Import readNSState.py from RichM's repo 1304682 - "stale" automember rule (associated to a removed group) causes discrepancies in the database 1307151 - keep alive entries can break replication 1310848 - Supplier can skip a failing update, although it should retry. 1312557 - dirsrv service fails to start when nsslapd-listenhost is configured 1314557 - change severity of some messages related to "keep alive" entries 1314956 - moving an entry cause next on-line init to skip entry has no parent, ending at line 0 of file "(bulk import)" 1315893 - License tag does not match actual license of code 1316328 - search returns no entry when OR filter component contains non readable attribute 1316580 - dirsrv service doesn't ask for pin when pin.txt is missing 1316731 - syncrepl search returning error 329; plugin sending a bad error code 1316741 - ldctl should support -H with ldap uris 1316742 - no plugin calls in tombstone purging 1319329 - add nsslapd-auditlog-logging-enabled: off to template-dse.ldif 1320295 - If nsSSL3 is on, even if SSL v3 is not really enabled, a confusing message is logged. 1320715 - DES to AES password conversion fails if a backend is empty 1321124 - Replication changelog can incorrectly skip over updates 1326077 - Page result search should return empty cookie if there is no returned entry 1326520 - db2index uses a buffer size derived from dbcachesize 1328936 - objectclass values could be dropped on the consumer 1329061 - 389-ds-base-1.3.4.0-29.el7_2 "hang" 1331343 - Paged results search returns the blank list of entries 1332533 - ns-accountstatus.pl gives error message on execution along with results. 1332709 - password history is not updated when an admin resets the password 1333184 - (389-ds-base-1.3.5) Fixing coverity issues. 1333515 - Enable DS to offer weaker DH params in NSS 1334455 - db2ldif is not taking into account multiple suffixes or backends 1335492 - Modifier's name is not recorded in the audit log with modrdn and moddn operations 1335618 - Server ram sanity checks work in isolation 1338872 - Wrong result code display in audit-failure log 1340307 - Running db2index with no options breaks replication 1342609 - At startup DES to AES password conversion causes timeout in start script 1344414 - [RFE] adding pre/post extop ability 1347760 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation 1349540 - CVE-2016-5416 389-ds-base: ACI readable by anonymous user 1349571 - Improve MMR replication convergence 1349577 - Values of dbcachetries/dbcachehits in cn=monitor could overflow. 1350632 - ns-slapd shutdown crashes if pwdstorageschema name is from stack. 1353592 - Setup-ds.pl --update fails 1353629 - DS shuts down automatically if dnaThreshold is set to 0 in a MMR setup 1353714 - If a cipher is disabled, do not attempt to look it up 1354374 - Upgrade to 389-ds-base >= 1.3.5.5 doesn't install 389-ds-base-snmp 1354660 - flow control in replication also blocks receiving results 1355879 - nunc-stans: ns-slapd crashes during startup with SIGILL on AMD Opteron 280 1356261 - Fixup tombstone task needs to set proper flag when updating tombstones 1358865 - CVE-2016-5405 389-ds-base: Password verification vulnerable to timing attack 1360327 - remove-ds.pl deletes an instance even if wrong prefix was specified 1360447 - nsslapd-workingdir is empty when ns-slapd is started by systemd 1361134 - When fine-grained policy is applied, a sub-tree has a priority over a user while changing password 1361321 - Duplicate collation entries 1364190 - Change example in /etc/sysconfig/dirsrv to use tcmalloc 1368520 - Crash in import_wait_for_space_in_fifo(). 1368956 - man page of ns-accountstatus.pl shows redundant entries for -p port option 1369537 - passwordMinAge attribute doesn't limit the minimum age of the password 1369570 - cleanallruv changelog cleaning incorrectly impacts all backends 1370300 - set proper update status to replication agreement in case of failure 1371283 - Server Side Sorting crashes the server. 1371284 - Disabling CLEAR password storage scheme will crash server when setting a password 6. Package List: Red Hat Enterprise Linux Client Optional (v. 7): Source: 389-ds-base-1.3.5.10-11.el7.src.rpm x86_64: 389-ds-base-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-debuginfo-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-devel-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-libs-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-snmp-1.3.5.10-11.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: 389-ds-base-1.3.5.10-11.el7.src.rpm x86_64: 389-ds-base-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-debuginfo-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-devel-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-libs-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-snmp-1.3.5.10-11.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: 389-ds-base-1.3.5.10-11.el7.src.rpm aarch64: 389-ds-base-1.3.5.10-11.el7.aarch64.rpm 389-ds-base-debuginfo-1.3.5.10-11.el7.aarch64.rpm 389-ds-base-libs-1.3.5.10-11.el7.aarch64.rpm ppc64le: 389-ds-base-1.3.5.10-11.el7.ppc64le.rpm 389-ds-base-debuginfo-1.3.5.10-11.el7.ppc64le.rpm 389-ds-base-libs-1.3.5.10-11.el7.ppc64le.rpm x86_64: 389-ds-base-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-debuginfo-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-libs-1.3.5.10-11.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: 389-ds-base-debuginfo-1.3.5.10-11.el7.aarch64.rpm 389-ds-base-devel-1.3.5.10-11.el7.aarch64.rpm 389-ds-base-snmp-1.3.5.10-11.el7.aarch64.rpm ppc64le: 389-ds-base-debuginfo-1.3.5.10-11.el7.ppc64le.rpm 389-ds-base-devel-1.3.5.10-11.el7.ppc64le.rpm 389-ds-base-snmp-1.3.5.10-11.el7.ppc64le.rpm x86_64: 389-ds-base-debuginfo-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-devel-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-snmp-1.3.5.10-11.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: 389-ds-base-1.3.5.10-11.el7.src.rpm x86_64: 389-ds-base-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-debuginfo-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-libs-1.3.5.10-11.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: 389-ds-base-debuginfo-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-devel-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-snmp-1.3.5.10-11.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-4992 https://access.redhat.com/security/cve/CVE-2016-5405 https://access.redhat.com/security/cve/CVE-2016-5416 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/index.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYGvy7XlSAg2UNWIIRAkpgAJ46Jzb0AJbiVWlv0EH6YPUEWY+K9ACgucKZ kqpJJ4JPlQdxdNHxSMdXq8Y= =6O9X - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWB+4VIx+lLeg9Ub1AQgfRg/+KGFVt1xY2v+XVR6pWPy4ulVX6PivwJ3y 8SOxIaz8aSVnvVk5uAOcGtUs3dZ5CLzWhGt+qed/6IlPniL1Yul8m70hR0vbUlkn SQ9eb8xsO/3rCFxQy090fCivCQtCSYrdpqCeF/+xDR3i+3k25sYn5hQpksJPXhRA /Vj4YxtPhNWNqD/1fQUqowjjLyoT/lIcvNSxGbt9tLbt5AtyEUtUq5jxaQ8CiT2/ l6NVhbkA7MZETlD7M8vLUUtAEavmAoCkvcN+QiWpGhPdsrZmfLULuDfP8+zyFJI8 VPXyFBD/Cad+rhXMa/I+mbTPdM8H7eSwCWpR9hAfcV1Sj5D8hYfHmpaQURl1JOBM xUlpPfaZVv+4UynIka1paF6HEWiJIuveuGZJEvaCWh97sw3GmsxyeooyczQj6LFK AB0kxKIkrQZUHgsU5TF3hi4piYGMkgdcR4rfBIGW8ie63f83ToPlo1zYsKQ6PgAK Z/hLYlP/gc9TE4yTzXeBXkqlNTmvyRgk3daK5so3A97Z2DQP4HZVUniTHepEXXFj m9pCW0ZOe1EovlOri5uyEZzoDwXBB712gNJIcIFgcb//jjh4QMy4PlktHnyzKZ9q 8lp7bQwEdS0JCtpE+NJQFZh3rFXWa2wYI1VYO3rwem7LKcyPN8LARywuTpigXMQ1 tdzDL+4T7Rw= =jZui -----END PGP SIGNATURE-----