From $URL: The directory server password lockout policy prevents binds from operating once a threshold of failed passwords has been met. If attacker during this lockout binds with the correct password, a different error code is returned. This means that attacker has no ratelimit or penalty during the account lock, and can continue to attempt passwords via bruteforce. Upstream bug: https://pagure.io/389-ds-base/issue/49336
Spoke to wibrown@, patches landing shortly
@ Maintainer(s): Patches have been committed and released in 1.3.6.7 and 1.3.5.19. Please update the ebuilds in the tree to a version with a fix. References: http://www.port389.org/docs/389ds/releases/release-1-3-6-7.html http://www.port389.org/docs/389ds/releases/release-1-3-5-19.html
On it, will be submitting ebuilds shortly thanks
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=792d4ea1a3db535bc7ae440f72c993c8c6f32d32 commit 792d4ea1a3db535bc7ae440f72c993c8c6f32d32 Author: Wes Cilldhaire <wes@sol1.com.au> AuthorDate: 2017-11-09 23:16:49 +0000 Commit: Jonas Stein <jstein@gentoo.org> CommitDate: 2017-11-09 23:44:23 +0000 net-nds/389-ds-base: Bump to 1.3.5.19 and 1.3.6.8 Bump to 1.3.5.19 and 1.3.6.8 to fix CVE-2017-7551 Bug: https://bugs.gentoo.org/627038 Acked-by: wibrown@redhat.com Package-Manager: Portage-2.3.13, Repoman-2.3.4 net-nds/389-ds-base/389-ds-base-1.3.5.19.ebuild | 124 ++++++++++++++++++++++++ net-nds/389-ds-base/389-ds-base-1.3.6.8.ebuild | 124 ++++++++++++++++++++++++ net-nds/389-ds-base/Manifest | 2 + 3 files changed, 250 insertions(+)}
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=689125d6095b1737bb788463cdc7600a5861e27c commit 689125d6095b1737bb788463cdc7600a5861e27c Author: Jonas Stein <jstein@gentoo.org> AuthorDate: 2017-11-10 00:08:43 +0000 Commit: Jonas Stein <jstein@gentoo.org> CommitDate: 2017-11-10 00:08:43 +0000 net-nds/389-ds-base: Remove vulnerable versions Removal due to CVE-2017-7551 after version bump. Bug: https://bugs.gentoo.org/627038 Acked-by: wibrown@redhat.com Package-Manager: Portage-2.3.13, Repoman-2.3.4 net-nds/389-ds-base/389-ds-base-1.3.4.14.ebuild | 138 ------------------------ net-nds/389-ds-base/389-ds-base-1.3.5.17.ebuild | 124 --------------------- net-nds/389-ds-base/Manifest | 2 - 3 files changed, 264 deletions(-)}
Awesome job. Thank you all. GLSA Vote: No.