| Summary: | <net-nds/389-ds-base-1.3.4.8: SASL/GSSAPI Security Bypass Security Issue (CVE-2014-0132) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | lxnay |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/57427/ | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
CVE-2014-0132 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0132): The SASL authentication functionality in 389 Directory Server before 1.2.11.26 allows remote authenticated users to connect as an arbitrary user and gain privileges via the authzid parameter in a SASL/GSSAPI bind. Hi, We have updated 389-ds-base to 1.3.4.7. This should resolve the issue. Thanks, Referenced commit 5a7174bf7122309eee568651fb5f3413155f9fc2 No vulnerable versions in tree. |
From ${URL} : Description A security issue has been reported in 389 Directory Server, which can be exploited by malicious users to bypass certain security restrictions. The security issue is caused due to an error related to SASL/GSSAPI authentication when the "authzid" parameter is specified and can be exploited to use the directory as another user. The security issue is reported in versions prior to 1.3.1.20 and 1.3.2.14. Solution: Update to version 1.3.1.20 or 1.3.2.14. Provided and/or discovered by: rv3 in a bug report. Original Advisory: http://directory.fedoraproject.org/wiki/Releases/1.3.1.20 http://directory.fedoraproject.org/wiki/Releases/1.3.2.14 rv3: https://fedorahosted.org/389/ticket/47739 @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.