Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 428178 (CVE-2012-0833) - <net-nds/389-ds-base-1.2.11.15: Multiple vulnerabilities (CVE-2012-{0833,2678,2746})
Summary: <net-nds/389-ds-base-1.2.11.15: Multiple vulnerabilities (CVE-2012-{0833,2678...
Status: RESOLVED FIXED
Alias: CVE-2012-0833
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-26 14:06 UTC by GLSAMaker/CVETool Bot
Modified: 2012-10-02 21:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-26 14:06:03 UTC
CVE-2012-2746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2746):
  389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before
  8.2.10-3), when the password of a LDAP user has been changed and audit
  logging is enabled, saves the new password to the log in plain text, which
  allows remote authenticated users to read the password.

CVE-2012-2678 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2678):
  389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before
  8.2.10-3), after the password for a LDAP user has been changed and before
  the server has been reset, allows remote attackers to read the plaintext
  password via the unhashed#user#password attribute.

CVE-2012-0833 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0833):
  The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in
  389 Directory Server before 1.2.10 does not properly handled access control
  instructions (ACIs) that use certificate groups, which allows remote
  authenticated LDAP users with a certificate group to cause a denial of
  service (infinite loop and CPU consumption) by binding to the server.
Comment 1 Fabio Erculiani (RETIRED) gentoo-dev 2012-10-02 20:26:36 UTC
Fixed in CVS.

  02 Oct 2012; Fabio Erculiani <lxnay@gentoo.org>
  +389-ds-base-1.2.11.15.ebuild,
  +files/389-ds-base-1.2.11.16-cve-2012-4450.patch,
  +files/389-ds-base-1.2.11-fix-mozldap.patch, -389-ds-base-1.2.8.3.ebuild,
  -389-ds-base-1.2.9.6.ebuild:
  version bump, closes #405127, #428178, #436768
Comment 2 Sean Amoss gentoo-dev Security 2012-10-02 21:38:50 UTC
Thanks, Fabio.

Closing noglsa for ~arch only.