| Summary: | <net-nds/389-ds-base-3.0.2: multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | chris, Dessa, proxy-maint |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/389ds/389-ds-base/issues/5418 | ||
| See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=833631 https://github.com/gentoo/gentoo/pull/36458 |
||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
John Helmert III
2022-03-19 04:59:47 UTC
CVE-2022-0996 (https://github.com/ByteHackr/389-ds-base): https://bugzilla.redhat.com/show_bug.cgi?id=2064769 A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication. (In reply to John Helmert III from comment #0) > CVE-2022-0918: > > A vulnerability was discovered in the 389 Directory Server that allows an > unauthenticated attacker with network access to the LDAP port to cause a > denial of service. The denial of service is triggered by a single message > sent over a TCP connection, no bind or other authentication is required. The > message triggers a segmentation fault that results in slapd crashing. > > No references to upstream again. https://github.com/389ds/389-ds-base/issues/5242 Unreleased patches for each branch linked in a comment on the issue. CVE-2022-2850 (https://bugzilla.redhat.com/show_bug.cgi?id=2118691): A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514. RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=2055815 Patches exist in all branches. Fix seems released in 2.1.5 for 2.1.x, but seemingly not yet for 1.4.x. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db6509134724c8a14ca82fe9e1e931f3e6e5e116 commit db6509134724c8a14ca82fe9e1e931f3e6e5e116 Author: Robert Förster <Dessa@gmake.de> AuthorDate: 2024-04-27 15:17:11 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2024-04-28 07:08:27 +0000 net-nds/389-ds-base: drop 1.4.4.19-r4, 2.1.0-r4, 2.3.2 Bug: https://bugs.gentoo.org/849401 Bug: https://bugs.gentoo.org/835611 Bug: https://bugs.gentoo.org/833631 Signed-off-by: Robert Förster <Dessa@gmake.de> Closes: https://github.com/gentoo/gentoo/pull/36458 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> net-nds/389-ds-base/389-ds-base-1.4.4.19-r4.ebuild | 324 --------------------- net-nds/389-ds-base/389-ds-base-2.1.0-r4.ebuild | 321 -------------------- net-nds/389-ds-base/389-ds-base-2.3.2.ebuild | 298 ------------------- net-nds/389-ds-base/Manifest | 134 --------- ...-ds-base-2.3.2-setuptools-67-packaging-23.patch | 167 ----------- 5 files changed, 1244 deletions(-) All done, thanks! |