From ${URL} : Description A security issue has been reported in 389 Directory Server, which can be exploited by malicious people to disclose potentially sensitive information. The security issue is caused due to an error when evaluating search filter expressions and can be exploited to determine the values of otherwise restricted attributes via a series of search queries with certain filter conditions. Successful exploitation requires permission to query the Directory Server. The security issue is reported in version 1.3.0.6. Other versions may also be affected. Solution: No official solution is currently available. Provided and/or discovered by: Ludwig Krispenz, Red Hat via a bug report. Original Advisory: 389 Directory Server: https://fedorahosted.org/389/ticket/47405 Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=979508 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
CVE-2013-2219 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2219): The Red Hat Directory Server before 8.2.11-13 and 389 Directory Server do not properly restrict access to entity attributes, which allows remote authenticated users to obtain sensitive information via a search query for the attribute.
Hi, We have updated 389-ds-base to 1.3.4.7. This should resolve the issue. Thanks,
Referenced commit 5a7174bf7122309eee568651fb5f3413155f9fc2
This issued was resolved in 1.3.1 per [0]. No vulnerable versions in tree. [0]: https://fedorahosted.org/389/ticket/47405