CVE-2022-0918: A vulnerability was discovered in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service. The denial of service is triggered by a single message sent over a TCP connection, no bind or other authentication is required. The message triggers a segmentation fault that results in slapd crashing. No references to upstream again.
CVE-2022-0996 (https://github.com/ByteHackr/389-ds-base): https://bugzilla.redhat.com/show_bug.cgi?id=2064769 A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication.
(In reply to John Helmert III from comment #0) > CVE-2022-0918: > > A vulnerability was discovered in the 389 Directory Server that allows an > unauthenticated attacker with network access to the LDAP port to cause a > denial of service. The denial of service is triggered by a single message > sent over a TCP connection, no bind or other authentication is required. The > message triggers a segmentation fault that results in slapd crashing. > > No references to upstream again. https://github.com/389ds/389-ds-base/issues/5242 Unreleased patches for each branch linked in a comment on the issue.
CVE-2022-2850 (https://bugzilla.redhat.com/show_bug.cgi?id=2118691): A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514. RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=2055815 Patches exist in all branches. Fix seems released in 2.1.5 for 2.1.x, but seemingly not yet for 1.4.x.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db6509134724c8a14ca82fe9e1e931f3e6e5e116 commit db6509134724c8a14ca82fe9e1e931f3e6e5e116 Author: Robert Förster <Dessa@gmake.de> AuthorDate: 2024-04-27 15:17:11 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2024-04-28 07:08:27 +0000 net-nds/389-ds-base: drop 1.4.4.19-r4, 2.1.0-r4, 2.3.2 Bug: https://bugs.gentoo.org/849401 Bug: https://bugs.gentoo.org/835611 Bug: https://bugs.gentoo.org/833631 Signed-off-by: Robert Förster <Dessa@gmake.de> Closes: https://github.com/gentoo/gentoo/pull/36458 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> net-nds/389-ds-base/389-ds-base-1.4.4.19-r4.ebuild | 324 --------------------- net-nds/389-ds-base/389-ds-base-2.1.0-r4.ebuild | 321 -------------------- net-nds/389-ds-base/389-ds-base-2.3.2.ebuild | 298 ------------------- net-nds/389-ds-base/Manifest | 134 --------- ...-ds-base-2.3.2-setuptools-67-packaging-23.patch | 167 ----------- 5 files changed, 1244 deletions(-)
All done, thanks!