Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 771135 (CVE-2020-35518) - <net-nds/389-ds-base-1.4.4.13: information disclosure during the binding of a DN (CVE-2020-35518)
Summary: <net-nds/389-ds-base-1.4.4.13: information disclosure during the binding of a...
Status: RESOLVED FIXED
Alias: CVE-2020-35518
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-02-17 18:52 UTC by Robert Förster
Modified: 2021-02-23 00:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Förster 2021-02-17 18:52:09 UTC
RHBZ 1905565 - CVE-2020-35518 389-ds-base: information disclosure during the binding of a DN

Target version also includes a non CVE'd information disclosure fix:

RHBZ 1909675 - RHDS11: “write” permission of ACI changes ns-slapd’s behavior on
 search operation
Comment 1 John Helmert III gentoo-dev Security 2021-02-17 18:59:32 UTC
Thank you for the report! Though please note we only set a version restriction in the summary once a fixed version is actually in tree.

Redhat advisory: https://access.redhat.com/errata/RHSA-2021:0599
Comment 2 Larry the Git Cow gentoo-dev 2021-02-22 15:03:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=621368e61de5f83f5dae1b57b4ff006a6693b986

commit 621368e61de5f83f5dae1b57b4ff006a6693b986
Author:     Robert Förster <Dessa@gmake.de>
AuthorDate: 2021-02-17 16:38:46 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-02-22 15:03:29 +0000

    net-nds/389-ds-base: remove vulnerable
    
    Bug: https://bugs.gentoo.org/771135
    
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Robert Förster <Dessa@gmake.de>
    Closes: https://github.com/gentoo/gentoo/pull/19505
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-nds/389-ds-base/389-ds-base-1.4.4.9.ebuild | 275 -------------------------
 net-nds/389-ds-base/Manifest                   |  37 ----
 2 files changed, 312 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f50467b8b65e752dd92ab170955e9cdc021b4f58

commit f50467b8b65e752dd92ab170955e9cdc021b4f58
Author:     Robert Förster <Dessa@gmake.de>
AuthorDate: 2021-02-17 16:37:43 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-02-22 15:03:29 +0000

    net-nds/389-ds-base: bump to 1.4.4.13 with fix for CVE-2020-35518
    
    Bug: https://bugs.gentoo.org/771135
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Robert Förster <Dessa@gmake.de>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-nds/389-ds-base/389-ds-base-1.4.4.13.ebuild    | 304 +++++++++++++++++++++
 net-nds/389-ds-base/Manifest                       |  65 +++++
 .../files/389-ds-base-1.4.4.13-libxcrypt.patch     |  66 +++++
 3 files changed, 435 insertions(+)
Comment 3 John Helmert III gentoo-dev Security 2021-02-23 00:58:33 UTC
Thank you! All done.