CVE-2021-4091: A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3a117fa888af153270d1b76f82a5db166768cb1 commit d3a117fa888af153270d1b76f82a5db166768cb1 Author: Dennis Lamm <expeditioneer@gentoo.org> AuthorDate: 2022-03-18 10:40:47 +0000 Commit: Dennis Lamm <expeditioneer@gentoo.org> CommitDate: 2022-03-18 17:07:32 +0000 net-nds/389-ds-base 2.1.0 version bump Closes: https://bugs.gentoo.org/832900 Bug: https://bugs.gentoo.org/833631 Signed-off-by: Dennis Lamm <expeditioneer@gentoo.org> net-nds/389-ds-base/389-ds-base-2.1.0.ebuild | 324 +++++++++++++++++++++++++++ net-nds/389-ds-base/Manifest | 1 + net-nds/389-ds-base/metadata.xml | 2 + 3 files changed, 327 insertions(+)
(In reply to Larry the Git Cow from comment #1) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=d3a117fa888af153270d1b76f82a5db166768cb1 > > commit d3a117fa888af153270d1b76f82a5db166768cb1 > Author: Dennis Lamm <expeditioneer@gentoo.org> > AuthorDate: 2022-03-18 10:40:47 +0000 > Commit: Dennis Lamm <expeditioneer@gentoo.org> > CommitDate: 2022-03-18 17:07:32 +0000 > > net-nds/389-ds-base 2.1.0 version bump > > Closes: https://bugs.gentoo.org/832900 > Bug: https://bugs.gentoo.org/833631 > > Signed-off-by: Dennis Lamm <expeditioneer@gentoo.org> > > net-nds/389-ds-base/389-ds-base-2.1.0.ebuild | 324 > +++++++++++++++++++++++++++ > net-nds/389-ds-base/Manifest | 1 + > net-nds/389-ds-base/metadata.xml | 2 + > 3 files changed, 327 insertions(+) Do we know if this fixes this vulnerability?
Hi John, Upstream Issue: https://github.com/389ds/389-ds-base/issues/5218 Is merged in 2.1.0 branch.
I'm not sure how you get that. The linked fix commit seems to be in 2.2.0: ~/git/389-ds-base $ git tag --contains a3c298f 389-ds-base-2.2.0
Sorry my bad. I thought that https://github.com/389ds/389-ds-base/commit/00385645f4fb103ca0107777398347fe7478d377 was merged to 2.1.0. But it was on the 2.1.0 branch. Therefore it will be fixed with a version bump to 2.1.1 or 2.2.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db6509134724c8a14ca82fe9e1e931f3e6e5e116 commit db6509134724c8a14ca82fe9e1e931f3e6e5e116 Author: Robert Förster <Dessa@gmake.de> AuthorDate: 2024-04-27 15:17:11 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2024-04-28 07:08:27 +0000 net-nds/389-ds-base: drop 1.4.4.19-r4, 2.1.0-r4, 2.3.2 Bug: https://bugs.gentoo.org/849401 Bug: https://bugs.gentoo.org/835611 Bug: https://bugs.gentoo.org/833631 Signed-off-by: Robert Förster <Dessa@gmake.de> Closes: https://github.com/gentoo/gentoo/pull/36458 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> net-nds/389-ds-base/389-ds-base-1.4.4.19-r4.ebuild | 324 --------------------- net-nds/389-ds-base/389-ds-base-2.1.0-r4.ebuild | 321 -------------------- net-nds/389-ds-base/389-ds-base-2.3.2.ebuild | 298 ------------------- net-nds/389-ds-base/Manifest | 134 --------- ...-ds-base-2.3.2-setuptools-67-packaging-23.patch | 167 ----------- 5 files changed, 1244 deletions(-)
All done, thanks!
