Scientific Linux Security Update : 389-ds-base on SL7.x x86_64
Medium Nessus Plugin ID 95832
SynopsisThe remote Scientific Linux host is missing one or more security updates.
DescriptionThe following packages have been upgraded to a newer upstream version:
389 -ds-base (184.108.40.206).
Security Fix(es) :
- It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI (Access Control Instructions) could be read by an anonymous user. This could lead to leakage of sensitive information.
- An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not. (CVE-2016-4992)
- It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries.
The CVE-2016-5416 issue was discovered by Viktor Ashirov (Red Hat);
the CVE-2016-4992 issue was discovered by Petr Spacek (Red Hat) and Martin Basti (Red Hat); and the CVE-2016-5405 issue was discovered by William Brown (Red Hat).
Additional Changes :
SolutionUpdate the affected packages.