This script is Copyright (C) 2017 Tenable Network Security, Inc.
The remote Virtuozzo host is missing a security update.
An update for 389-ds-base is now available for Red Hat Enterprise
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
389 Directory Server is an LDAP version 3 (LDAPv3) compliant server.
The base packages include the Lightweight Directory Access Protocol
(LDAP) server and command-line utilities for server administration.
Security Fix(es) :
* An invalid pointer dereference flaw was found in the way 389-ds-base
handled LDAP bind requests. A remote unauthenticated attacker could
use this flaw to make ns-slapd crash via a specially crafted LDAP bind
request, resulting in denial of service. (CVE-2017-2668)
Red Hat would like to thank Joachim Jabs (F24) for reporting this
Bug Fix(es) :
* Previously, the 'deref' plug-in failed to dereference attributes
that use distinguished name (DN) syntax, such as 'uniqueMember'. With
this patch, the 'deref' plug-in can dereference such attributes and
additionally 'Name and Optional UID' syntax. As a result, the 'deref'
plug-in now supports any syntax. (BZ#1435365)
Note that Tenable Network Security has attempted to extract the
preceding description block directly from the corresponding Red Hat
security advisory. Virtuozzo provides no description for VZLSA
advisories. Tenable has attempted to automatically clean and format
it as much as possible without introducing additional issues.
See also :
Update the affected 389-ds-base / 389-ds-base-devel / 389-ds-base-libs package.
Risk factor :
High / CVSS Base Score : 7.8
CVSS Temporal Score : 5.8
Public Exploit Available : false