RHEL 6 : 389-ds-base (RHSA-2015:0628)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated 389-ds-base packages that fix one security issue, two bugs,
and add one enhancement are now available for Red Hat Enterprise Linux
6.

Red Hat Product Security has rated this update as having Important
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The 389 Directory Server is an LDAPv3 compliant server. The base
packages include the Lightweight Directory Access Protocol (LDAP)
server and command-line utilities for server administration.

An information disclosure flaw was found in the way the 389 Directory
Server stored information in the Changelog that is exposed via the
'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain
cases use this flaw to read data from the Changelog, which could
include sensitive information such as plain-text passwords.
(CVE-2014-8105)

This issue was discovered by Petr Spacek of the Red Hat Identity
Management Engineering Team.

This update also fixes the following bugs :

* In multi-master replication (MMR), deleting a single-valued
attribute of a Directory Server (DS) entry was previously in some
cases not correctly replicated. Consequently, the entry state in the
replica systems did not reflect the intended changes. This bug has
been fixed and the removal of a single-valued attribute is now
properly replicated. (BZ#1179099)

* Prior to this update, the Directory Server (DS) always checked the
ACI syntax. As a consequence, removing an ACI failed with a syntax
error. With this update, the ACI check is stopped when the ACI is
going to be removed, and the removal thus works as expected.
(BZ#1179100)

In addition, this update adds the following enhancement :

* The buffer size limit for the 389-ds-base application has been
increased to 2MB in order to match the buffer size limit of Simple
Authentication and Security Layer (SASL) and Basic Encoding Rules
(BER). (BZ#1179595)

All 389-ds-base users are advised to upgrade to these updated
packages, which contain backported patches to correct these issues and
add this enhancement. After installing this update, the 389 server
service will be restarted automatically.

See also :

https://www.redhat.com/security/data/cve/CVE-2014-8105.html
http://rhn.redhat.com/errata/RHSA-2015-0628.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Red Hat Local Security Checks

Nessus Plugin ID: 81663 ()

Bugtraq ID: 72985

CVE ID: CVE-2014-8105

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now