389-ds-base-1.2.10.2-18.AXS4

エラータID: AXSA:2012-589:02

Release date: 
Tuesday, July 24, 2012 - 16:34
Subject: 
389-ds-base-1.2.10.2-18.AXS4
Affected Channels: 
Asianux Server 4 for x86
Asianux Server 4 for x86_64
Severity: 
High
Description: 

389 Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration.

Security issues fixed with this release:

• CVE-2012-0833
The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not properly handled access control instructions (ACIs) that use certificate groups, which allows remote authenticated LDAP users with a certificate group to cause a denial of service (infinite loop and CPU consumption) by binding to the server.

• CVE-2012-2678
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers to read the plain text password via the unhashed#user#password attribute.

• CVE-2012-2746
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), when the password of a LDAP user has been changed and audit logging is enabled, saves the new password to the log in plain text, which allows remote authenticated users to read the password.

Bug Fixes

This update also fixes many bugs, too many to list here. Please refer to the changelog.

Solution: 

Update packages.

CVEs: 
CVE-2012-0833
The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not properly handled access control instructions (ACIs) that use certificate groups, which allows remote authenticated LDAP users with a certificate group to cause a denial of service (infinite loop and CPU consumption) by binding to the server.
CVE-2012-2678
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers to read the plaintext password via the unhashed#user#password attribute.
CVE-2012-2746
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), when the password of a LDAP user has been changed and audit logging is enabled, saves the new password to the log in plain text, which allows remote authenticated users to read the password.




Additional Info: 

N/A

Download: 

SRPMS
  1. 389-ds-base-1.2.10.2-18.AXS4.src.rpm
    MD5: 5f700bb79afaf2253747c04bec567bc8
    SHA-256: 76a314019d426cc816683a27cc77d51ec820414623a74544ad7527e4a9e481c4
    Size: 2.85 MB

Asianux Server 4 for x86
  1. 389-ds-base-1.2.10.2-18.AXS4.i686.rpm
    MD5: 6dba1d872b0f63bd320765e4227ec2fc
    SHA-256: 8c61ef9e18c5066b4fe394df69ca6594408a0ad5a5a74207dd805be3486ca957
    Size: 1.37 MB
  2. 389-ds-base-libs-1.2.10.2-18.AXS4.i686.rpm
    MD5: 3bb91c84340637f79af8a5a45293b1ef
    SHA-256: 9f9ae1f41a5144a3a7dd2f80a8f9d8faaa58ce6be4fdc88a3c261249c314311f
    Size: 378.65 kB

Asianux Server 4 for x86_64
  1. 389-ds-base-1.2.10.2-18.AXS4.x86_64.rpm
    MD5: e9338cde06b74a1c8dc16bbbf783b35f
    SHA-256: aea6bd08648719161dbb536274568cf287073a1e70b6ed2b51932e2849a9d1ef
    Size: 1.37 MB
  2. 389-ds-base-libs-1.2.10.2-18.AXS4.x86_64.rpm
    MD5: bc907e01a1801f6cab3f533dba940a74
    SHA-256: 86d01104a0a5e84a4971bc7bb9055e069c4c9ae9881cdec6971d76baca916eca
    Size: 372.84 kB
  3. 389-ds-base-libs-1.2.10.2-18.AXS4.i686.rpm
    MD5: 3bb91c84340637f79af8a5a45293b1ef
    SHA-256: 9f9ae1f41a5144a3a7dd2f80a8f9d8faaa58ce6be4fdc88a3c261249c314311f
    Size: 378.65 kB