Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3144 SUSE-SU-2019:2155-1 Security update for 389-ds 16 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: 389-ds Publisher: SUSE Operating System: SUSE Impact/Access: Access Privileged Data -- Existing Account Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-3883 CVE-2018-14648 CVE-2018-14638 CVE-2018-10935 CVE-2018-10871 CVE-2018-1089 CVE-2018-1054 CVE-2016-5416 Reference: ESB-2018.2059 ESB-2016.2618 Original Bulletin: https://www.suse.com/support/update/announcement/2019/suse-su-20192155-1.html - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for 389-ds ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2155-1 Rating: important References: #1083689 #1092187 #1099465 #1105606 #1108674 #1109609 #1120189 #1132385 #1144797 #991201 Cross-References: CVE-2016-5416 CVE-2018-1054 CVE-2018-10871 CVE-2018-1089 CVE-2018-10935 CVE-2018-14638 CVE-2018-14648 CVE-2019-3883 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 ______________________________________________________________________________ An update that solves 8 vulnerabilities and has two fixes is now available. Description: This update for 389-ds to version 1.4.0.26 fixes the following issues: Security issues fixed: o CVE-2016-5416: Fixed an information disclosure where a anonymous user could read the default ACI (bsc#991201). o CVE-2018-1054: Fixed a denial of service via search filters in SetUnicodeStringFromUTF_8() (bsc#1083689). o CVE-2018-1089: Fixed a buffer overflow via large filter value (bsc# 1092187). o CVE-2018-10871: Fixed an information disclosure in certain plugins leading to the disclosure of plaintext password to an privileged attackers (bsc# 1099465). o CVE-2018-14638: Fixed a denial of service through a crash in delete_passwdPolicy () (bsc#1108674). o CVE-2018-14648: Fixed a denial of service caused by malformed values in search queries (bsc#1109609). o CVE-2018-10935: Fixed a denial of service related to ldapsearch with server side sort (bsc#1105606). o CVE-2019-3883: Fixed a denial of service caused by hanging LDAP requests over TLS (bsc#1132385). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2019-2155=1 o SUSE Linux Enterprise Module for Server Applications 15: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2019-2155=1 o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2155=1 o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2155=1 Package List: o SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): 389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1 389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1 389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1 389-ds-devel-1.4.0.26~git0.8a2d3de6f-4.14.1 o SUSE Linux Enterprise Module for Server Applications 15 (aarch64 ppc64le s390x x86_64): 389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1 389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1 389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1 389-ds-devel-1.4.0.26~git0.8a2d3de6f-4.14.1 o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): 389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1 389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1 389-ds-snmp-1.4.0.26~git0.8a2d3de6f-4.14.1 389-ds-snmp-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1 o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): 389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1 389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1 389-ds-snmp-1.4.0.26~git0.8a2d3de6f-4.14.1 389-ds-snmp-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1 References: o https://www.suse.com/security/cve/CVE-2016-5416.html o https://www.suse.com/security/cve/CVE-2018-1054.html o https://www.suse.com/security/cve/CVE-2018-10871.html o https://www.suse.com/security/cve/CVE-2018-1089.html o https://www.suse.com/security/cve/CVE-2018-10935.html o https://www.suse.com/security/cve/CVE-2018-14638.html o https://www.suse.com/security/cve/CVE-2018-14648.html o https://www.suse.com/security/cve/CVE-2019-3883.html o https://bugzilla.suse.com/1083689 o https://bugzilla.suse.com/1092187 o https://bugzilla.suse.com/1099465 o https://bugzilla.suse.com/1105606 o https://bugzilla.suse.com/1108674 o https://bugzilla.suse.com/1109609 o https://bugzilla.suse.com/1120189 o https://bugzilla.suse.com/1132385 o https://bugzilla.suse.com/1144797 o https://bugzilla.suse.com/991201 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVYAMmaOgq3Tt24GAQjJIQ/+NLD4x1cOMUlVqmiDqlJAV7/44NVYL3TQ Sk9PfcaicRBp18X+CHUOpwSTMw9keDpBfXrkxXyo/YYuomvcBAS/JkKKjDMwlr6f 34NeNn5kE7bItE1QJ82HE/3cfZbB6tY9YLY1d5iQ0eSlAlYES7EzLEiKLcoyLgiE lXf2y1kJmTG8UbCBIQe/DlSvN1rl0iYt+2dlIBc4CzdIPDoWjFZAtkQVETHmWpTF VpvQkg2Bc2tW+2k07OveNXdf1eq2KZSRaoOZLOXvVVBidW3ERacSJnO5XBhdHQgl Jg3WSqkZ7/Jz0hKEZweny1d2wC7jLIm3OGQOAVGWJ0V2tF5kXgn4uk5sc7qaFrw5 3uNMiZQP/6CfeNhONs7/3dxXztoCp7w3Yxyl8heLLyj3R3tOfsm2Z2DbSnYYUJR4 BkcFSaDCb90q9rlRSjEi5cHZwRs9JFtLzGqdJMDek2fQeULuO4nSJnxlCFtpfFXK rSPoseCshkVDUrCi2Xx/uIuDnPb0EiD68uaD0xGdLodRaldOoToc+fTnh7zpEcsT FTo2czIEgjWwKeA3vLvduRS55kWebwrA4H9x2v13uBlSFArrD7S/rPPOcdEaE1tw pyQeRW2Iyt0VddKxGfFc92niy9QOdKyoifGBA41/PYoa0puv3VLrfS+ReUTZ7cMw riBto3f+aZY= =J8H8 -----END PGP SIGNATURE-----