CVE-2012-2746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2746): 389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), when the password of a LDAP user has been changed and audit logging is enabled, saves the new password to the log in plain text, which allows remote authenticated users to read the password. CVE-2012-2678 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2678): 389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers to read the plaintext password via the unhashed#user#password attribute. CVE-2012-0833 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0833): The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not properly handled access control instructions (ACIs) that use certificate groups, which allows remote authenticated LDAP users with a certificate group to cause a denial of service (infinite loop and CPU consumption) by binding to the server.
Fixed in CVS. 02 Oct 2012; Fabio Erculiani <lxnay@gentoo.org> +389-ds-base-1.2.11.15.ebuild, +files/389-ds-base-1.2.11.16-cve-2012-4450.patch, +files/389-ds-base-1.2.11-fix-mozldap.patch, -389-ds-base-1.2.8.3.ebuild, -389-ds-base-1.2.9.6.ebuild: version bump, closes #405127, #428178, #436768
Thanks, Fabio. Closing noglsa for ~arch only.
