"389-ds":"1.4" 389-ds-base-1.4.3.39-25.module+el8+2005+09631633
エラータID: AXSA:2026-1264:01
389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.
Security Fix(es):
* 389-ds-base: 389-ds-base: Heap buffer overflow in sasl_io_recv() via padded SASL UNBIND (CVE-2026-11610)
* 389-ds-base: 389-ds-base: integer overflow in SASL packet length bypasses size limit leading to heap buffer overflow (CVE-2026-11774)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-11610
A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.
CVE-2026-11774
An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.
Modularity name: "389-ds"
Stream name: "1.4"
Update packages.
A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.
An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.
N/A
SRPMS
- 389-ds-base-1.4.3.39-25.module+el8+2005+09631633.src.rpm
MD5: 3c2687c673989270c985b5f870e9e605
SHA-256: 91a8d7ab43e8dfdbba7753e21f589f8f200549ef7aca3bf323360ed163ed2e51
Size: 48.60 MB
Asianux Server 8 for x86_64
- 389-ds-base-1.4.3.39-25.module+el8+2005+09631633.x86_64.rpm
MD5: 24c48127e1550a0d0daf8f449469db31
SHA-256: 6421b539e028796b411d9b4b6eebd8d9f8d9af41425084a93bc7daf1b31789f8
Size: 3.15 MB - 389-ds-base-debugsource-1.4.3.39-25.module+el8+2005+09631633.x86_64.rpm
MD5: afedfb9e394c34e3a060e33ce7c4fe6f
SHA-256: 02a6fd17ab328c992f901e383dcbf4429e0ac14093d38c1a71215525499ad588
Size: 2.78 MB - 389-ds-base-devel-1.4.3.39-25.module+el8+2005+09631633.x86_64.rpm
MD5: 90b3d2dc93fc6750d6c716e833bc2dc5
SHA-256: d5e8bd352b15e37dc1a0dda8e0299abaac4705c1129e684eaa5f2514243c731e
Size: 134.55 kB - 389-ds-base-legacy-tools-1.4.3.39-25.module+el8+2005+09631633.x86_64.rpm
MD5: 29d421619664365dfcbf9d31b730babd
SHA-256: ffa5adfbdf232fccd65ac4ce0ed6ca5d50a9a5cfdb5ba1abd9daa96644004ca1
Size: 286.18 kB - 389-ds-base-libs-1.4.3.39-25.module+el8+2005+09631633.x86_64.rpm
MD5: f3666bdb2386522431eac029b3c6aa20
SHA-256: 5c3bc0cd05d36f92e286e3460cdd732b35434831e08cf17aa58a5e396fe2b598
Size: 1.52 MB - 389-ds-base-snmp-1.4.3.39-25.module+el8+2005+09631633.x86_64.rpm
MD5: b5f574799655afba48287e463d413a36
SHA-256: 25dcc7da3a7508b521de2c212427b12159f143497aee5be8827d8177d4a326dd
Size: 47.69 kB - python3-lib389-1.4.3.39-25.module+el8+2005+09631633.noarch.rpm
MD5: f462f944d685dce5c38421814dabe4bf
SHA-256: dcaaa7be6358f5e95fa2cb458dec49563de4f395ddf209cf1449887000e9b32a
Size: 0.98 MB