Summary: | net-nds/389-ds-base: Multiple vulnerabilities (CVE-2018-1089,CVE-2019-3883) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | jstein, maintainer-needed, treecleaner, wes, wibrown |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2018/05/07/2 | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=701812 https://github.com/gentoo/gentoo/pull/15907 |
||
Whiteboard: | ~3 [noglsa upstream/ebuild cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 731296 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2018-05-07 15:53:08 UTC
the package has no maintainer any more. CVE-2019-3883 (https://nvd.nist.gov/vuln/detail/CVE-2019-3883): In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66a48ca5d52d4699c4ef38209dfcad8ebdd149aa commit 66a48ca5d52d4699c4ef38209dfcad8ebdd149aa Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-06-04 18:24:47 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-06-04 19:14:36 +0000 net-nds/389-ds-base, dev-libs/389-adminutil: Last rites Bug: https://bugs.gentoo.org/655176 Bug: https://bugs.gentoo.org/701812 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> profiles/package.mask | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7414f8c33bb75cd9a4f6a61040886852fcf2afe1 commit 7414f8c33bb75cd9a4f6a61040886852fcf2afe1 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-07-13 04:52:07 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-07-13 04:52:31 +0000 dev-libs/svrcore: Remove last-rited pkg Bug: https://bugs.gentoo.org/655176 Bug: https://bugs.gentoo.org/701812 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-libs/svrcore/Manifest | 2 - dev-libs/svrcore/files/svrcore-4.0.4-gentoo.patch | 100 ---------------------- dev-libs/svrcore/files/svrcore-4.1-gentoo.patch | 100 ---------------------- dev-libs/svrcore/metadata.xml | 5 -- dev-libs/svrcore/svrcore-4.0.4-r1.ebuild | 40 --------- dev-libs/svrcore/svrcore-4.1.2.ebuild | 35 -------- profiles/package.mask | 6 -- 7 files changed, 288 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aef3f76fb5607ea9fcecd97c192a0ab06d224737 commit aef3f76fb5607ea9fcecd97c192a0ab06d224737 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-07-13 04:51:55 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-07-13 04:52:27 +0000 dev-libs/389-adminutil: Remove last-rited pkg Bug: https://bugs.gentoo.org/655176 Bug: https://bugs.gentoo.org/701812 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-libs/389-adminutil/389-adminutil-1.1.15.ebuild | 46 ---------------------- dev-libs/389-adminutil/Manifest | 1 - dev-libs/389-adminutil/metadata.xml | 5 --- profiles/package.mask | 2 - 4 files changed, 54 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb6602276b3003bcdafd619a28ac6f163f52fb30 commit eb6602276b3003bcdafd619a28ac6f163f52fb30 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-07-13 04:50:40 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-07-13 04:52:23 +0000 net-nds/389-ds-base: Remove last-rited pkg Bug: https://bugs.gentoo.org/655176 Bug: https://bugs.gentoo.org/701812 Signed-off-by: Michał Górny <mgorny@gentoo.org> net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild | 126 ------- net-nds/389-ds-base/389-ds-base-9999.ebuild | 133 -------- net-nds/389-ds-base/Manifest | 1 - ...-base-1.3.6-backport-invalid-password-mig.patch | 376 --------------------- net-nds/389-ds-base/files/389-ds-snmp.initd | 44 --- net-nds/389-ds-base/files/389-ds.initd-r1 | 90 ----- net-nds/389-ds-base/metadata.xml | 23 -- 7 files changed, 793 deletions(-) ~ package so noglsa, closing. |