CVE-2017-15135 (https://nvd.nist.gov/vuln/detail/CVE-2017-15135): It was found that 389-ds-base since 1.3.6.1 up to and including 1.4.0.3 did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the authentication process under very rare and specific circumstances.
https://github.com/gentoo/gentoo/pull/7078
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e71df7341cdaa0a4cc2aeff56496ce1724b921d2 commit e71df7341cdaa0a4cc2aeff56496ce1724b921d2 Author: Wes Cilldhaire <wes@sol1.com.au> AuthorDate: 2018-02-05 01:07:25 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2018-02-05 21:50:03 +0000 net-nds/389-ds-base: patch against CVE-2017-15135 in 1.3.6.8. * Patch and revbump to 1.3.6.8 to address CVE-2017-15135 * Update copyright line in all versions for 2018 Bug: https://bugs.gentoo.org/645706 Acked-by: wibrown@redhat.com Package-Manager: Portage-2.3.20, Repoman-2.3.6 Closes: https://github.com/gentoo/gentoo/pull/7078 net-nds/389-ds-base/389-ds-base-1.3.5.19.ebuild | 2 +- ....3.6.8.ebuild => 389-ds-base-1.3.6.8-r1.ebuild} | 4 +- net-nds/389-ds-base/389-ds-base-9999.ebuild | 2 +- ...-base-1.3.6-backport-invalid-password-mig.patch | 376 +++++++++++++++++++++ 4 files changed, 381 insertions(+), 3 deletions(-)}
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c73dc8bddc74876c7d3a177bf30e5d21ba3e808 commit 5c73dc8bddc74876c7d3a177bf30e5d21ba3e808 Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: 2018-02-05 21:52:22 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2018-02-05 21:52:22 +0000 net-nds/389-ds-base: remove vulnerable version. Bug: https://bugs.gentoo.org/645706 Package-Manager: Portage-2.3.19, Repoman-2.3.6 net-nds/389-ds-base/389-ds-base-1.3.5.19.ebuild | 124 ------------------------ net-nds/389-ds-base/Manifest | 1 - 2 files changed, 125 deletions(-)}