389-ds-base-1.2.10.2-18.AXS4
エラータID: AXSA:2012-589:02
リリース日:
2012/07/24 Tuesday - 16:34
題名:
389-ds-base-1.2.10.2-18.AXS4
影響のあるチャネル:
Asianux Server 4 for x86
Asianux Server 4 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- 389 Directory Server は LDAP ユーザのためのパスワードが変わった後とサーバがリセットする前に,ハッシュしていないユーザパスワード属性によって,リモートの攻撃者が平文のパスワードを読むことのできる脆弱性があります。(CVE-2012-2678)
- 389 Directory Server は LDAP ユーザのパスワードが変わった時に,audit のロギングが有効な場合,新しいパスワードを平文でログに保存し,リモートの認証されたユーザがパスワードを読むことのできる脆弱性があります。(CVE-2012-2746)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2012-0833
The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not properly handled access control instructions (ACIs) that use certificate groups, which allows remote authenticated LDAP users with a certificate group to cause a denial of service (infinite loop and CPU consumption) by binding to the server.
The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not properly handled access control instructions (ACIs) that use certificate groups, which allows remote authenticated LDAP users with a certificate group to cause a denial of service (infinite loop and CPU consumption) by binding to the server.
CVE-2012-2678
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers to read the plaintext password via the unhashed#user#password attribute.
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers to read the plaintext password via the unhashed#user#password attribute.
CVE-2012-2746
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), when the password of a LDAP user has been changed and audit logging is enabled, saves the new password to the log in plain text, which allows remote authenticated users to read the password.
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), when the password of a LDAP user has been changed and audit logging is enabled, saves the new password to the log in plain text, which allows remote authenticated users to read the password.
追加情報:
N/A
ダウンロード:
SRPMS
- 389-ds-base-1.2.10.2-18.AXS4.src.rpm
MD5: 5f700bb79afaf2253747c04bec567bc8
SHA-256: 76a314019d426cc816683a27cc77d51ec820414623a74544ad7527e4a9e481c4
Size: 2.85 MB
Asianux Server 4 for x86
- 389-ds-base-1.2.10.2-18.AXS4.i686.rpm
MD5: 6dba1d872b0f63bd320765e4227ec2fc
SHA-256: 8c61ef9e18c5066b4fe394df69ca6594408a0ad5a5a74207dd805be3486ca957
Size: 1.37 MB - 389-ds-base-libs-1.2.10.2-18.AXS4.i686.rpm
MD5: 3bb91c84340637f79af8a5a45293b1ef
SHA-256: 9f9ae1f41a5144a3a7dd2f80a8f9d8faaa58ce6be4fdc88a3c261249c314311f
Size: 378.65 kB
Asianux Server 4 for x86_64
- 389-ds-base-1.2.10.2-18.AXS4.x86_64.rpm
MD5: e9338cde06b74a1c8dc16bbbf783b35f
SHA-256: aea6bd08648719161dbb536274568cf287073a1e70b6ed2b51932e2849a9d1ef
Size: 1.37 MB - 389-ds-base-libs-1.2.10.2-18.AXS4.x86_64.rpm
MD5: bc907e01a1801f6cab3f533dba940a74
SHA-256: 86d01104a0a5e84a4971bc7bb9055e069c4c9ae9881cdec6971d76baca916eca
Size: 372.84 kB - 389-ds-base-libs-1.2.10.2-18.AXS4.i686.rpm
MD5: 3bb91c84340637f79af8a5a45293b1ef
SHA-256: 9f9ae1f41a5144a3a7dd2f80a8f9d8faaa58ce6be4fdc88a3c261249c314311f
Size: 378.65 kB