Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5907 389-ds-base security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: 389-ds-base Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-2850 CVE-2022-0996 CVE-2022-0918 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8162 Comment: CVSS (Max): 7.5 CVE-2022-0918 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: 389-ds-base security, bug fix, and enhancement update Advisory ID: RHSA-2022:8162-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8162 Issue date: 2022-11-15 CVE Names: CVE-2022-0918 CVE-2022-0996 CVE-2022-2850 ===================================================================== 1. Summary: An update for 389-ds-base is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. The following packages have been upgraded to a later upstream version: 389-ds-base (2.1.3). (BZ#2061801) Security Fix(es): * 389-ds-base: sending crafted message could result in DoS (CVE-2022-0918) * 389-ds-base: SIGSEGV in sync_repl (CVE-2022-2850) * 389-ds-base: expired password was still allowed to access the database (CVE-2022-0996) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, the 389 server service will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1872451 - [RFE] 389ds: run as non-root 2052527 - RFE - Provide an option to abort an Auto Member rebuild task. 2055815 - CVE-2022-0918 389-ds-base: sending crafted message could result in DoS 2057056 - Import may break the replication because changelog starting csn may not be created 2057063 - Add support for recursively deleting subentries 2061801 - Rebase 389-ds-base in RHEL 9.1 2064769 - CVE-2022-0996 389-ds-base: expired password was still allowed to access the database 2100337 - dsconf backend export userroot fails ldap.DECODING_ERROR 2100572 - Versions for RHDS 9.1 do not match in dirsrv logs and output from rpm -qa 2115348 - memory leak with filter optimizer 2118691 - CVE-2022-2850 389-ds-base: SIGSEGV in sync_repl 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: 389-ds-base-2.1.3-4.el9_1.src.rpm aarch64: 389-ds-base-2.1.3-4.el9_1.aarch64.rpm 389-ds-base-debuginfo-2.1.3-4.el9_1.aarch64.rpm 389-ds-base-debugsource-2.1.3-4.el9_1.aarch64.rpm 389-ds-base-libs-2.1.3-4.el9_1.aarch64.rpm 389-ds-base-libs-debuginfo-2.1.3-4.el9_1.aarch64.rpm 389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.aarch64.rpm noarch: python3-lib389-2.1.3-4.el9_1.noarch.rpm ppc64le: 389-ds-base-2.1.3-4.el9_1.ppc64le.rpm 389-ds-base-debuginfo-2.1.3-4.el9_1.ppc64le.rpm 389-ds-base-debugsource-2.1.3-4.el9_1.ppc64le.rpm 389-ds-base-libs-2.1.3-4.el9_1.ppc64le.rpm 389-ds-base-libs-debuginfo-2.1.3-4.el9_1.ppc64le.rpm 389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.ppc64le.rpm s390x: 389-ds-base-2.1.3-4.el9_1.s390x.rpm 389-ds-base-debuginfo-2.1.3-4.el9_1.s390x.rpm 389-ds-base-debugsource-2.1.3-4.el9_1.s390x.rpm 389-ds-base-libs-2.1.3-4.el9_1.s390x.rpm 389-ds-base-libs-debuginfo-2.1.3-4.el9_1.s390x.rpm 389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.s390x.rpm x86_64: 389-ds-base-2.1.3-4.el9_1.x86_64.rpm 389-ds-base-debuginfo-2.1.3-4.el9_1.x86_64.rpm 389-ds-base-debugsource-2.1.3-4.el9_1.x86_64.rpm 389-ds-base-libs-2.1.3-4.el9_1.x86_64.rpm 389-ds-base-libs-debuginfo-2.1.3-4.el9_1.x86_64.rpm 389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-0918 https://access.redhat.com/security/cve/CVE-2022-0996 https://access.redhat.com/security/cve/CVE-2022-2850 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhHNzjgjWX9erEAQi3Lw/+Kp2fj71Eme7k3P5fYZon8pjEsHOaHuSz FOTmU3hGViBe60UcUoyoERl2nbodmQ0yxozY4wz6H+TMHiTq1yj3LdiUQuZmOZMS +BUBzSR24iyPaXbLoa1+NwSm2+QnQuD8Ch5E4YwNJNRcRIYP2yaVJdcNi7RLU0I7 aADq56AI4QX1D+0c1tSkybVTbgEpnNzABrvaapwD1eNwsVWaFJd46CZaf9WGt3ht irr6PYHnyvoirvJndRsuuLgW2vJxhvI/6PQtOgM0SMyWWiIschFLlkelrjVsdQIH f9J3Rk5kRCN7Kd9hKDIghsitB0ilod8gxvhyio6UzB9acbXj+a55J1nEjo2oalR8 psXHcFRemMiPTMEh/W68PdbhifTcxa85Z4H/iVtEDgpIugJ5+B0j0+hdnzm3dncT IHsJVSayNuUqY04gpUhVsvEmzhVFogx9APJZmz4PhIaoGByX9Oti1t9IsqNENUVn l0n8u4h3Az4eo4l6/PKaF3DrIVLXzuC5HXvU4NOW4VsW4aM7tfVIlDUDxr8FUhUE 8AKp+AThKmW2vFNTP9bnUNXQSMnKRFclO99w/f2SB+PjSb4IJzpIQ/QokXRQ8I2z CUsrBtF1HQfwHPPV1fU2NvnLmtDEcxFX0kGgU11BaVSgoRpqrUpNPHmnQp9FpQUb 6ZLiLQ+itcM= =dmbn - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q5+skNZI30y1K9AQjsmg/+MV71gKPfbYef71MQf8V8C+s04xNf/6vv nAuhUVp5jqzHQJhrK32TTXaxTsntzyCsFXdKW9THjdD1aGaubfa8PrA0poOEVP9W e0q6s1WQkV4wNhmi5d8Jj9K1ysLzQlMXNjzr2DQfRYyij+rgXk7g5wGlTBvb7eKs 6MNDOErGOflV2LFKu9J6XDQvEWU2tIwCvhuWG0m9beFX488pVmEx45xntcG7N3aG 92i71AMx9YqGZvcXpZL3KIw/ykwss+8bKDqin2a/FbiJJZl1SNephKdHY6v58THN bTgu3mRaoEn1D5FFVklu5c4ZhR17cY1/B0Iv93bG50cJlk5F6Rw9RftR7KGBqtQz vFwgxm0szvvu+LzealzHm6QucU2N6kwpUxko5JqpnjElIcxF6gEqm8hzmg6rUVMa UD1jMqlvctX9Y7njCoUQNlGqkNZTDgz7IPiqEbNwkSIblyzZlwBrnnAYqRP4/lJO rs6IAp5hiU4PSz8i0ABQhLNbRZry02kIRB4dchfe7zpbR/N9E5QAh9L0sgqfPveH /hy02wMVURL9NQNtkDK8Gme6seNUQMVp/E31ZmChehp0b3zdgxO3k1jW2OR9gPBs fy8wWGvw9nK2oCqGApwudBJn6+x5w/puE20DSKDI9MtjAWqcxC+VDNohqiMXzSoN eWWFDa1YQOU= =xyFH -----END PGP SIGNATURE-----