CVE-2022-1949: An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data. Redhat bug: https://bugzilla.redhat.com/show_bug.cgi?id=2091781 There are some PRs upstream with potential fixes: https://github.com/389ds/389-ds-base/issues/5170#issuecomment-1140630971
If I'm reading this git spaghetti correctly, it looks like this made it into 2.0.16, 2.1.2, and 2.2.2
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db6509134724c8a14ca82fe9e1e931f3e6e5e116 commit db6509134724c8a14ca82fe9e1e931f3e6e5e116 Author: Robert Förster <Dessa@gmake.de> AuthorDate: 2024-04-27 15:17:11 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2024-04-28 07:08:27 +0000 net-nds/389-ds-base: drop 1.4.4.19-r4, 2.1.0-r4, 2.3.2 Bug: https://bugs.gentoo.org/849401 Bug: https://bugs.gentoo.org/835611 Bug: https://bugs.gentoo.org/833631 Signed-off-by: Robert Förster <Dessa@gmake.de> Closes: https://github.com/gentoo/gentoo/pull/36458 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> net-nds/389-ds-base/389-ds-base-1.4.4.19-r4.ebuild | 324 --------------------- net-nds/389-ds-base/389-ds-base-2.1.0-r4.ebuild | 321 -------------------- net-nds/389-ds-base/389-ds-base-2.3.2.ebuild | 298 ------------------- net-nds/389-ds-base/Manifest | 134 --------- ...-ds-base-2.3.2-setuptools-67-packaging-23.patch | 167 ----------- 5 files changed, 1244 deletions(-)
All done. thanks!
