-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: 389-ds-base security and bug fix update Advisory ID: RHSA-2018:1380-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:1380 Issue date: 2018-05-14 CVE Names: CVE-2018-1089 ===================================================================== 1. Summary: An update for 389-ds-base is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64le, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, ppc64le, s390x 3. Description: 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es): * 389-ds-base: ns-slapd crash via large filter value in ldapsearch (CVE-2018-1089) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Greg Kubok for reporting this issue. Bug Fix(es): * Indexing tasks in Directory Server contain the nsTaskStatus attribute to monitor whether the task is completed and the database is ready to receive updates. Before this update, the server set the value that indexing had completed before the database was ready to receive updates. Applications which monitor nsTaskStatus could start sending updates as soon as indexing completed, but before the database was ready. As a consequence, the server rejected updates with an UNWILLING_TO_PERFORM error. The problem has been fixed. As a result, the nsTaskStatus attribute now shows that indexing is completed after the database is ready to receive updates. (BZ#1553605) * Previously, Directory Server did not remember when the first operation, bind, or a connection was started. As a consequence, the server applied in certain situations anonymous resource limits to an authenticated client. With this update, Directory Server properly marks authenticated client connections. As a result, it applies the correct resource limits, and authenticated clients no longer get randomly restricted by anonymous resource limits. (BZ#1554720) * When debug replication logging is enabled, Directory Server incorrectly logged an error that updating the replica update vector (RUV) failed when in fact the update succeeded. The problem has been fixed, and the server no longer logs an error if updating the RUV succeeds. (BZ#1559464) * This update adds the -W option to the ds-replcheck utility. With this option, ds-replcheck asks for the password, similar to OpenLDAP utilities. As a result, the password is not stored in the shell's history file when the -W option is used. (BZ#1559760) * If an administrator moves a group in Directory Server from one subtree to another, the memberOf plug-in deletes the memberOf attribute with the old value and adds a new memberOf attribute with the new group's distinguished name (DN) in affected user entries. Previously, if the old subtree was not within the scope of the memberOf plug-in, deleting the old memberOf attribute failed because the values did not exist. As a consequence, the plug-in did not add the new memberOf value, and the user entry contained an incorrect memberOf value. With this update, the plug-in now checks the return code when deleting the old value. If the return code is "no such value", the plug-in only adds the new memberOf value. As a result, the memberOf attribute information is correct. (BZ#1559764) * In a Directory Server replication topology, updates are managed by using Change Sequence Numbers (CSN) based on time stamps. New CSNs must be higher than the highest CSN present in the relative update vector (RUV). In case the server generates a new CSN in the same second as the most recent CSN, the sequence number is increased to ensure that it is higher. However, if the most recent CSN and the new CSN were identical, the sequence number was not increased. In this situation, the new CSN was, except the replica ID, identical to the most recent one. As a consequence, a new update in the directory appeared in certain situations older than the most recent update. With this update, Directory Server increases the CSN if the sequence number is lower or equal to the most recent one. As a result, new updates are no longer considered older than the most recent data. (BZ#1563079) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, the 389 server service will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1554720 - "Truncated search results" pop-up appears in user details in WebUI [rhel-7.5.z] 1559464 - replica_write_ruv log a failure even when it succeeds [rhel-7.5.z] 1559760 - ds-replcheck: add -W option to ask for the password from stdin instead of passing it on command line [rhel-7.5.z] 1559764 - memberof fails if group is moved into scope [rhel-7.5.z] 1559802 - CVE-2018-1089 389-ds-base: ns-slapd crash via large filter value in ldapsearch 1563079 - adjustment of csn_generator can fail so next generated csn can be equal to the most recent one received [rhel-7.5.z] 6. Package List: Red Hat Enterprise Linux Client Optional (v. 7): Source: 389-ds-base-1.3.7.5-21.el7_5.src.rpm x86_64: 389-ds-base-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-debuginfo-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-devel-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-libs-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-snmp-1.3.7.5-21.el7_5.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: 389-ds-base-1.3.7.5-21.el7_5.src.rpm x86_64: 389-ds-base-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-debuginfo-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-devel-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-libs-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-snmp-1.3.7.5-21.el7_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: 389-ds-base-1.3.7.5-21.el7_5.src.rpm ppc64le: 389-ds-base-1.3.7.5-21.el7_5.ppc64le.rpm 389-ds-base-debuginfo-1.3.7.5-21.el7_5.ppc64le.rpm 389-ds-base-libs-1.3.7.5-21.el7_5.ppc64le.rpm x86_64: 389-ds-base-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-debuginfo-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-libs-1.3.7.5-21.el7_5.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7): Source: 389-ds-base-1.3.7.5-21.el7_5.src.rpm aarch64: 389-ds-base-1.3.7.5-21.el7_5.aarch64.rpm 389-ds-base-debuginfo-1.3.7.5-21.el7_5.aarch64.rpm 389-ds-base-libs-1.3.7.5-21.el7_5.aarch64.rpm ppc64le: 389-ds-base-1.3.7.5-21.el7_5.ppc64le.rpm 389-ds-base-debuginfo-1.3.7.5-21.el7_5.ppc64le.rpm 389-ds-base-libs-1.3.7.5-21.el7_5.ppc64le.rpm Red Hat Enterprise Linux Server Optional (v. 7): Source: 389-ds-base-1.3.7.5-21.el7_5.src.rpm ppc64: 389-ds-base-1.3.7.5-21.el7_5.ppc64.rpm 389-ds-base-debuginfo-1.3.7.5-21.el7_5.ppc64.rpm 389-ds-base-devel-1.3.7.5-21.el7_5.ppc64.rpm 389-ds-base-libs-1.3.7.5-21.el7_5.ppc64.rpm 389-ds-base-snmp-1.3.7.5-21.el7_5.ppc64.rpm ppc64le: 389-ds-base-debuginfo-1.3.7.5-21.el7_5.ppc64le.rpm 389-ds-base-devel-1.3.7.5-21.el7_5.ppc64le.rpm 389-ds-base-snmp-1.3.7.5-21.el7_5.ppc64le.rpm s390x: 389-ds-base-1.3.7.5-21.el7_5.s390x.rpm 389-ds-base-debuginfo-1.3.7.5-21.el7_5.s390x.rpm 389-ds-base-devel-1.3.7.5-21.el7_5.s390x.rpm 389-ds-base-libs-1.3.7.5-21.el7_5.s390x.rpm 389-ds-base-snmp-1.3.7.5-21.el7_5.s390x.rpm x86_64: 389-ds-base-debuginfo-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-devel-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-snmp-1.3.7.5-21.el7_5.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7): Source: 389-ds-base-1.3.7.5-21.el7_5.src.rpm aarch64: 389-ds-base-debuginfo-1.3.7.5-21.el7_5.aarch64.rpm 389-ds-base-devel-1.3.7.5-21.el7_5.aarch64.rpm 389-ds-base-snmp-1.3.7.5-21.el7_5.aarch64.rpm ppc64le: 389-ds-base-debuginfo-1.3.7.5-21.el7_5.ppc64le.rpm 389-ds-base-devel-1.3.7.5-21.el7_5.ppc64le.rpm 389-ds-base-snmp-1.3.7.5-21.el7_5.ppc64le.rpm s390x: 389-ds-base-1.3.7.5-21.el7_5.s390x.rpm 389-ds-base-debuginfo-1.3.7.5-21.el7_5.s390x.rpm 389-ds-base-devel-1.3.7.5-21.el7_5.s390x.rpm 389-ds-base-libs-1.3.7.5-21.el7_5.s390x.rpm 389-ds-base-snmp-1.3.7.5-21.el7_5.s390x.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: 389-ds-base-1.3.7.5-21.el7_5.src.rpm x86_64: 389-ds-base-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-debuginfo-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-libs-1.3.7.5-21.el7_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: 389-ds-base-debuginfo-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-devel-1.3.7.5-21.el7_5.x86_64.rpm 389-ds-base-snmp-1.3.7.5-21.el7_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-1089 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBWvsFZdzjgjWX9erEAQhXwg//bdyp8rZGYEp321LAgXYF8y4Yaq2jT54j SQImvxI9ew9AvLWPkRX6aO9vmKTTZxCC2oMcPOC8sj6p3h90V/5RaCRfA3sAS8rv ryYZbQQyxONJqc6BbL5/EDERjTQO3XVGvfFyF6nb+s5E8jpyJYqpdNY5yAKTpysi xMYmYkYXDEZeU5om7SBx6IzTKGTLrHa6ckZFNoyL7qArJoHX/h1X8m/ocXgs/O3b wqNxWn28WAwPxfJ8iy3W2PswsVdoL7Oadd8b4YpAnvDSN4R9kRv6lN5JPLOc83LU thti4Sb3tE0DJ5lYyLNMIHjwZfk/RhH4HYWxcp9iGvYoKrNyWtk7V/HX3DziKxpI 4DKVoGzGCTziR9VifXylKfK4neS/ihCiWWUPRKHOPmh/9nvx6TG9a8AEKqLRlB0P es4l3dt3eedngCoXggJUrpvXTfdAHwe/CsYIXSf/QObZVrnVMaPWRH325r7lww0A 7f+X4W8jyzIu/tD24X34/V6/2Gvo7YC96fu924qWcAD+9Nzl6qpNfO53uMeI0Q3g WVHRuXU9JxhYC8Rk4io8W+r2Av2HML3QwikbtKv1moU3c+GQWdeUTWbV1QnomgEZ Jvh0hcHV6bLTXg4YaLVONJerH30V1C1a8pFcSTaWq5+iCJL+11T94jQgviwJfooe f26l4LUE6ds= =o0wi -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce