Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 461522 (CVE-2013-0312) - <net-nds/389-ds-base-1.3.0.4 : unauthenticated denial of service vulnerability in handling of LDAPv3 control data (CVE-2013-0312)
Summary: <net-nds/389-ds-base-1.3.0.4 : unauthenticated denial of service vulnerabilit...
Status: RESOLVED FIXED
Alias: CVE-2013-0312
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~3 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-12 14:25 UTC by Agostino Sarubbo
Modified: 2016-03-01 06:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-12 14:25:11 UTC
From ${URL} :

It was discovered that an anonymous (or bound) LDAP request to the 389 Directory Server could 
trigger a crash of the server when handling LDAP V3 control data.  If a malicious unauthenticated 
user were to send an LDAP request containing crafted LDAPv3 control data, they could cause the 
server to crash, denying service to the directory.
Comment 1 Fabio Erculiani (RETIRED) gentoo-dev 2013-03-14 18:02:19 UTC
I am bumping it+*389-ds-base-1.3.0.2 (14 Mar 2013)
+
+  14 Mar 2013; Fabio Erculiani <lxnay@gentoo.org> +389-ds-base-1.3.0.2.ebuild,
+  -389-ds-base-1.2.11.15.ebuild:
+  version bump, fixes bug #461522
+

+*389-dsgw-1.1.10 (14 Mar 2013)
+
+  14 Mar 2013; Fabio Erculiani <lxnay@gentoo.org> +389-dsgw-1.1.10.ebuild,
+  -389-dsgw-1.1.7.ebuild:
+  version bump, fixes #461522
+
Comment 2 Sean Amoss gentoo-dev Security 2013-03-14 22:00:05 UTC
Thanks, Fabio.

Closing noglsa for ~arch only.
Comment 3 Agostino Sarubbo gentoo-dev 2013-03-15 19:18:04 UTC
reopening:

http://web.nvd.nist.gov/view/vuln/detail;jsessionid=8C25BABFBC85771DF1D2687853BF2462?vulnId=CVE-2013-0312

389 Directory Server before 1.3.0.4 allows remote attackers to cause a denial of service (crash) via a zero length LDAP control sequence.


@lxnay, I guess you need to bump the 1.3.0.4
Comment 4 Fabio Erculiani (RETIRED) gentoo-dev 2013-03-15 19:20:05 UTC
1.3.0.4 is testing (see $HOMEPAGE).
Then the patch must be backported.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-03-21 18:43:51 UTC
CVE-2013-0312 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0312):
  389 Directory Server before 1.3.0.4 allows remote attackers to cause a
  denial of service (crash) via a zero length LDAP control sequence.
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-17 00:31:50 UTC
Any word on a bump here?
Comment 7 William Brown 2016-02-07 01:47:37 UTC
Hi,

We have updated 389-ds-base to 1.3.4.7. This should resolve the issue.

Thanks,
Comment 8 Adam Feldman gentoo-dev 2016-02-07 01:56:56 UTC
Referenced commit 5a7174bf7122309eee568651fb5f3413155f9fc2
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-01 06:02:22 UTC
All vulnerable versions removed from tree.  GLSA Vote: No