-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: 389-ds-base security, bug fix, and enhancement update Advisory ID: RHSA-2018:3127-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:3127 Issue date: 2018-10-30 CVE Names: CVE-2018-14648 ===================================================================== 1. Summary: An update for 389-ds-base is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64le, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, ppc64le, s390x 3. Description: 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. The following packages have been upgraded to a later upstream version: 389-ds-base (1.3.8.4). (BZ#1560653) Security Fix(es): * 389-ds-base: Mishandled search requests in servers/slapd/search.c:do_search() allows for denial of service (CVE-2018-14648) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, the 389 server service will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1515190 - "Truncated search results" pop-up appears in user details in WebUI 1525256 - Invalid SNMP MIB for 389 DS 1541098 - ds-replcheck: add -W option to ask for the password from stdin instead of passing it on command line 1544477 - IPA server is not responding, all authentication and admin tests failed 1551063 - replica_write_ruv log a failure even when it succeeds 1551065 - ds-replcheck LDIF comparision fails when checking for conflicts 1551071 - memberof fails if group is moved into scope 1552698 - replicated operations should be serialized. 1556803 - ds-replcheck command returns traceback errors against empty ldif files when run in offline mode 1556863 - ds-replcheck command for "LDAP with StartTLS" using -Z option should be more robust 1559945 - adjustment of csn_generator can fail so next generated csn can be equal to the most recent one received 1560653 - Rebase 389-ds-base in RHEL 7.6 to 1.3.8 1566444 - crash in connection table / nunc-stans ? 1567042 - ns-slapd segfaults with ERR - connection_release_nolock_ext - conn=0 fd=0 Attempt to release connection that is not acquired 1568462 - disk monitoring setting the wrong default error log level 1570033 - Errors log full of " WARN - keys2idl - recieved NULL idl from index_read_ext_allids, treating as empty set" messages 1570649 - pwdhash segfaults when CRYPT storage scheme is used 1574602 - Replication stops working when MemberOf plugin is enabled on hub and consumer 1576485 - Upgrade script doesn't enable PBKDF password storage plug-in 1581737 - passthrough plugin configured to do starttls does not work. 1582092 - passwordMustChange attribute is not honored by a RO consumer if "Chain on Update" is implemented on the RO consumer 1582747 - DS only accepts RSA and Fortezza cipher families 1593807 - Fine grained password policy can impact search performance 1596467 - IPA upgrade fails for latest ipa package 1597384 - Async operations can hang when the server is running nunc-stans 1597518 - ds-replcheck command returns traceback errors against ldif files having garbage content when run in offline mode 1598186 - A search with the scope "one" returns a non-matching entry. 1598478 - If a replica is created with a bindDNGroup, this group is taken into account only after bindDNGroupCheckInterval seconds 1598718 - import fails if backend name is "default" 1602425 - ipa user commands when used with '--random' or '--password' option returns 'Constraint violation: Pre-Encoded passwords are not valid' error 1607078 - CVE-2018-10935 389-ds-base: ldapsearch with server side sort crashes the ldap server [rhel-7.6] 1614501 - Disable nunc-stans by default 1614820 - 389-ds-base: Crash in vslapd_log_emergency_error [rhel-7.6] 1616412 - ipa certmap-match fails to find ipa user when altSecurityIdentities in mapping rule 1630668 - CVE-2018-14648 389-ds-base: Mishandled search requests in servers/slapd/search.c:do_search() allows for denial of service 6. Package List: Red Hat Enterprise Linux Client Optional (v. 7): Source: 389-ds-base-1.3.8.4-15.el7.src.rpm x86_64: 389-ds-base-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-devel-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-libs-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-snmp-1.3.8.4-15.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: 389-ds-base-1.3.8.4-15.el7.src.rpm x86_64: 389-ds-base-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-devel-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-libs-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-snmp-1.3.8.4-15.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: 389-ds-base-1.3.8.4-15.el7.src.rpm ppc64le: 389-ds-base-1.3.8.4-15.el7.ppc64le.rpm 389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64le.rpm 389-ds-base-libs-1.3.8.4-15.el7.ppc64le.rpm x86_64: 389-ds-base-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-libs-1.3.8.4-15.el7.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7): Source: 389-ds-base-1.3.8.4-15.el7.src.rpm aarch64: 389-ds-base-1.3.8.4-15.el7.aarch64.rpm 389-ds-base-debuginfo-1.3.8.4-15.el7.aarch64.rpm 389-ds-base-libs-1.3.8.4-15.el7.aarch64.rpm ppc64le: 389-ds-base-1.3.8.4-15.el7.ppc64le.rpm 389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64le.rpm 389-ds-base-libs-1.3.8.4-15.el7.ppc64le.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7): Source: 389-ds-base-1.3.8.4-15.el7.src.rpm aarch64: 389-ds-base-debuginfo-1.3.8.4-15.el7.aarch64.rpm 389-ds-base-devel-1.3.8.4-15.el7.aarch64.rpm 389-ds-base-snmp-1.3.8.4-15.el7.aarch64.rpm ppc64le: 389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64le.rpm 389-ds-base-devel-1.3.8.4-15.el7.ppc64le.rpm 389-ds-base-snmp-1.3.8.4-15.el7.ppc64le.rpm s390x: 389-ds-base-1.3.8.4-15.el7.s390x.rpm 389-ds-base-debuginfo-1.3.8.4-15.el7.s390x.rpm 389-ds-base-devel-1.3.8.4-15.el7.s390x.rpm 389-ds-base-libs-1.3.8.4-15.el7.s390x.rpm 389-ds-base-snmp-1.3.8.4-15.el7.s390x.rpm Red Hat Enterprise Linux Server Optional (v. 7): Source: 389-ds-base-1.3.8.4-15.el7.src.rpm ppc64: 389-ds-base-1.3.8.4-15.el7.ppc64.rpm 389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64.rpm 389-ds-base-devel-1.3.8.4-15.el7.ppc64.rpm 389-ds-base-libs-1.3.8.4-15.el7.ppc64.rpm 389-ds-base-snmp-1.3.8.4-15.el7.ppc64.rpm ppc64le: 389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64le.rpm 389-ds-base-devel-1.3.8.4-15.el7.ppc64le.rpm 389-ds-base-snmp-1.3.8.4-15.el7.ppc64le.rpm s390x: 389-ds-base-1.3.8.4-15.el7.s390x.rpm 389-ds-base-debuginfo-1.3.8.4-15.el7.s390x.rpm 389-ds-base-devel-1.3.8.4-15.el7.s390x.rpm 389-ds-base-libs-1.3.8.4-15.el7.s390x.rpm 389-ds-base-snmp-1.3.8.4-15.el7.s390x.rpm x86_64: 389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-devel-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-snmp-1.3.8.4-15.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: 389-ds-base-1.3.8.4-15.el7.src.rpm x86_64: 389-ds-base-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-libs-1.3.8.4-15.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: 389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-devel-1.3.8.4-15.el7.x86_64.rpm 389-ds-base-snmp-1.3.8.4-15.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-14648 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW9gQqdzjgjWX9erEAQgLQQ/9Hs/1UnWZGGjCXo5bgWBO9igqml/vo3lP NH2/XF8Sc2VmpZJsk9WKpPOwixQDRXvGIMPsqAUqhaMGv5Z9jIjLi0wTz8SVOfyR l079piH7sp+XPNjXkM6kiFkYBaP9yCWZ2qDBlrYWEO7MXNlNcj6qp5mlH3UTCpVC raB+ixFxgw65IkZ6yYTU+htcKB/4XoIbnuHOWGG32Sg3MhzOiScrBNM323bSvEZf 7wSBsoydQMcNZxdHK5PbUt8Fd1EjMcE8Bgksb8MIOPeSk75FZd9CUmvg4i7eq+be Wq5o2BBe+wwtwfmzX0/Vszz4IRJZKyk61uZWAzkc9NIv61YUkyg2qaPjcg2tNg+3 WYi2HRwIkn3KN6Epw1/TYqD5U6lIl6gMobCwMzBUn4f1KuVI1X9BUt45SVyPqqRf aodwxbwPoO8jDlh5EX/OtoFwZtgwvNTXKpHiwC0CHRy7NEiUNvMg6IHaIHfOGCp2 TujRo6ZqeZqpEY43gkNTBvruhn+7f0ZInAGwn7U2nsCuN5iGjEiPmAfv9IjlJVz6 Q1NQkyFVLGeKKxuYmUR5k33AyB+MrEUkY1eoaABUYRhu/v1swrNt66/9eGCfuqGl 5hSOIY8Ar/GBWGsGcoFNHt/Vpbe4u3dx7pEz9u5fTNRqABnvSkg7RZw2zN4ZBU9G 5/ZKjqkY2JU= =dHjl -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce