Summary: | <net-nds/389-ds-base-1.3.4.7: unintended information exposure when rootdse is enabled (CVE-2013-1897) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | lxnay |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=928105 | ||
Whiteboard: | ~4 [glsa?] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-03-28 16:51:18 UTC
CVE-2013-1897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1897): The do_search function in ldap/servers/slapd/search.c in 389 Directory Server 1.2.x before 1.2.11.20 and 1.3.x before 1.3.0.5 does not properly restrict access to entries when the nsslapd-allow-anonymous-access configuration is set to rootdse and the BASE search scope is used, which allows remote attackers to obtain sensitive information outside of the rootDSE via a crafted LDAP search. Fix available at https://git.fedorahosted.org/cgit/389/ds.git/commit/?h=389-ds-base-1.2.11&id=5a18c828533a670e7143327893f8171a19062286 Hi, We have updated 389-ds-base to 1.3.4.7. This should resolve the issue. Thanks, Referenced commit 5a7174bf7122309eee568651fb5f3413155f9fc2 net-nds/389-ds-base-1.3.4.7 in tree. No other versions present which are vulnerable. All vulnerable versions removed. GLSA Vote: No |