Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 536334 - <net-nds/389-ds-base-1.3.4.8: Information disclosure vulnerability (CVE-2014-3562)
Summary: <net-nds/389-ds-base-1.3.4.8: Information disclosure vulnerability (CVE-2014-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-11 18:16 UTC by GLSAMaker/CVETool Bot
Modified: 2016-07-24 11:52 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 18:16:56 UTC
CVE-2014-3562 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3562):
  Red Hat Directory Server 8 and 389 Directory Server, when debugging is
  enabled, allows remote attackers to obtain sensitive replicated metadata by
  searching the directory.


This bug is fixed in 389 DS version 1.3.2.22.
Comment 1 Pacho Ramos gentoo-dev 2015-11-05 16:09:27 UTC
Either someone volunteers for maintaining this or we treeclean this stuff:
net-nds/389-ds-base
app-admin/389-ds-console
Comment 2 Michael Palimaka (kensington) gentoo-dev 2016-01-29 08:14:03 UTC
Someone volunteered to maintain it in bug #573262.
Comment 3 Adam Feldman gentoo-dev 2016-02-05 07:08:53 UTC
net-nds/389-ds-base vulnerable version removed, and version bumped in commit 5a7174bf7122309eee568651fb5f3413155f9fc2.  Maintainers are working on the other one, so please don't remove from the tree.
Comment 4 William Brown 2016-02-07 01:48:53 UTC
Hi,

We have updated 389-ds-base to 1.3.4.7. This should resolve the issue.

Thanks,
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-03-29 11:31:53 UTC
No vulnerable versions in tree.
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-07-24 10:40:08 UTC
This bug is still referred as masking reason for a number of packages:

# NP-Hardass <NP-Hardass@gentoo.org> (05 Feb 2016)
# Security issues bug #536334. Under investigation by maintainer.
app-admin/389-ds-console
net-nds/389-admin
app-admin/389-admin-console
www-apps/389-dsgw

Please either lastrite the packages or well... proceed with your investigation.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-07-24 11:11:51 UTC
The referenced packages are not affected by this security bug.

@maintainer, the mask was left in place for your action.
Comment 9 Wes 2016-07-24 11:28:52 UTC
Neither wibrown nor myself are listed as maintainer on these remaining packages.  Upstream says they are defunct.  Last rite them I guess?
Comment 10 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-07-24 11:52:01 UTC
(In reply to Wes from comment #9)
> Neither wibrown nor myself are listed as maintainer on these remaining
> packages.  Upstream says they are defunct.  Last rite them I guess?

I've opened #589592 to take care of that without spamming secteam ;-).