Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 478834 (CVE-2013-2219) - <net-nds/389-ds-base-1.3.4.8: Search Filter Expressions Evaluation Information Disclosure Security Issue (CVE-2013-2219)
Summary: <net-nds/389-ds-base-1.3.4.8: Search Filter Expressions Evaluation Informatio...
Status: RESOLVED FIXED
Alias: CVE-2013-2219
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/54140/
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-30 15:24 UTC by Agostino Sarubbo
Modified: 2016-03-29 11:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-30 15:24:08 UTC
From ${URL} :

Description

A security issue has been reported in 389 Directory Server, which can be exploited by malicious 
people to disclose potentially sensitive information.

The security issue is caused due to an error when evaluating search filter expressions and can be 
exploited to determine the values of otherwise restricted attributes via a series of search queries 
with certain filter conditions.

Successful exploitation requires permission to query the Directory Server.

The security issue is reported in version 1.3.0.6. Other versions may also be affected.


Solution:
No official solution is currently available.

Provided and/or discovered by:
Ludwig Krispenz, Red Hat via a bug report.

Original Advisory:
389 Directory Server:
https://fedorahosted.org/389/ticket/47405

Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=979508


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 02:50:51 UTC
CVE-2013-2219 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2219):
  The Red Hat Directory Server before 8.2.11-13 and 389 Directory Server do
  not properly restrict access to entity attributes, which allows remote
  authenticated users to obtain sensitive information via a search query for
  the attribute.
Comment 2 William Brown 2016-02-07 01:48:07 UTC
Hi,

We have updated 389-ds-base to 1.3.4.7. This should resolve the issue.

Thanks,
Comment 3 Adam Feldman gentoo-dev 2016-02-07 01:56:41 UTC
Referenced commit 5a7174bf7122309eee568651fb5f3413155f9fc2
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-03-29 11:27:31 UTC
This issued was resolved in 1.3.1 per [0].  No vulnerable versions in tree.

[0]: https://fedorahosted.org/389/ticket/47405