"389-ds":"1.4" 389-ds-base-1.4.3.39-25.module+el8+2005+09631633

エラータID: AXSA:2026-1264:01

Release date: 
Wednesday, July 15, 2026 - 16:56
Subject: 
"389-ds":"1.4" 389-ds-base-1.4.3.39-25.module+el8+2005+09631633
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

Security Fix(es):

* 389-ds-base: 389-ds-base: Heap buffer overflow in sasl_io_recv() via padded SASL UNBIND (CVE-2026-11610)
* 389-ds-base: 389-ds-base: integer overflow in SASL packet length bypasses size limit leading to heap buffer overflow (CVE-2026-11774)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-11610
A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.
CVE-2026-11774
An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.

Modularity name: "389-ds"
Stream name: "1.4"

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. 389-ds-base-1.4.3.39-25.module+el8+2005+09631633.src.rpm
    MD5: 3c2687c673989270c985b5f870e9e605
    SHA-256: 91a8d7ab43e8dfdbba7753e21f589f8f200549ef7aca3bf323360ed163ed2e51
    Size: 48.60 MB

Asianux Server 8 for x86_64
  1. 389-ds-base-1.4.3.39-25.module+el8+2005+09631633.x86_64.rpm
    MD5: 24c48127e1550a0d0daf8f449469db31
    SHA-256: 6421b539e028796b411d9b4b6eebd8d9f8d9af41425084a93bc7daf1b31789f8
    Size: 3.15 MB
  2. 389-ds-base-debugsource-1.4.3.39-25.module+el8+2005+09631633.x86_64.rpm
    MD5: afedfb9e394c34e3a060e33ce7c4fe6f
    SHA-256: 02a6fd17ab328c992f901e383dcbf4429e0ac14093d38c1a71215525499ad588
    Size: 2.78 MB
  3. 389-ds-base-devel-1.4.3.39-25.module+el8+2005+09631633.x86_64.rpm
    MD5: 90b3d2dc93fc6750d6c716e833bc2dc5
    SHA-256: d5e8bd352b15e37dc1a0dda8e0299abaac4705c1129e684eaa5f2514243c731e
    Size: 134.55 kB
  4. 389-ds-base-legacy-tools-1.4.3.39-25.module+el8+2005+09631633.x86_64.rpm
    MD5: 29d421619664365dfcbf9d31b730babd
    SHA-256: ffa5adfbdf232fccd65ac4ce0ed6ca5d50a9a5cfdb5ba1abd9daa96644004ca1
    Size: 286.18 kB
  5. 389-ds-base-libs-1.4.3.39-25.module+el8+2005+09631633.x86_64.rpm
    MD5: f3666bdb2386522431eac029b3c6aa20
    SHA-256: 5c3bc0cd05d36f92e286e3460cdd732b35434831e08cf17aa58a5e396fe2b598
    Size: 1.52 MB
  6. 389-ds-base-snmp-1.4.3.39-25.module+el8+2005+09631633.x86_64.rpm
    MD5: b5f574799655afba48287e463d413a36
    SHA-256: 25dcc7da3a7508b521de2c212427b12159f143497aee5be8827d8177d4a326dd
    Size: 47.69 kB
  7. python3-lib389-1.4.3.39-25.module+el8+2005+09631633.noarch.rpm
    MD5: f462f944d685dce5c38421814dabe4bf
    SHA-256: dcaaa7be6358f5e95fa2cb458dec49563de4f395ddf209cf1449887000e9b32a
    Size: 0.98 MB