-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.5907
           389-ds-base security, bug fix, and enhancement update
                             16 November 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           389-ds-base
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-2850 CVE-2022-0996 CVE-2022-0918

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2022:8162

Comment: CVSS (Max):  7.5 CVE-2022-0918 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: 389-ds-base security, bug fix, and enhancement update
Advisory ID:       RHSA-2022:8162-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8162
Issue date:        2022-11-15
CVE Names:         CVE-2022-0918 CVE-2022-0996 CVE-2022-2850 
=====================================================================

1. Summary:

An update for 389-ds-base is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The
base packages include the Lightweight Directory Access Protocol (LDAP)
server and command-line utilities for server administration.

The following packages have been upgraded to a later upstream version:
389-ds-base (2.1.3). (BZ#2061801)

Security Fix(es):

* 389-ds-base: sending crafted message could result in DoS (CVE-2022-0918)

* 389-ds-base: SIGSEGV in sync_repl (CVE-2022-2850)

* 389-ds-base: expired password was still allowed to access the database
(CVE-2022-0996)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the 389 server service will be restarted
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1872451 - [RFE] 389ds: run as non-root
2052527 - RFE - Provide an option to abort an Auto Member rebuild task.
2055815 - CVE-2022-0918 389-ds-base: sending crafted message could result in DoS
2057056 - Import may break the replication because changelog starting csn may not be created
2057063 - Add support for recursively deleting subentries
2061801 - Rebase 389-ds-base in RHEL 9.1
2064769 - CVE-2022-0996 389-ds-base: expired password was still allowed to access the database
2100337 - dsconf backend export userroot fails  ldap.DECODING_ERROR
2100572 - Versions for RHDS 9.1 do not match in dirsrv logs and output from rpm -qa
2115348 - memory leak with filter optimizer
2118691 - CVE-2022-2850 389-ds-base: SIGSEGV in sync_repl

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:
389-ds-base-2.1.3-4.el9_1.src.rpm

aarch64:
389-ds-base-2.1.3-4.el9_1.aarch64.rpm
389-ds-base-debuginfo-2.1.3-4.el9_1.aarch64.rpm
389-ds-base-debugsource-2.1.3-4.el9_1.aarch64.rpm
389-ds-base-libs-2.1.3-4.el9_1.aarch64.rpm
389-ds-base-libs-debuginfo-2.1.3-4.el9_1.aarch64.rpm
389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.aarch64.rpm

noarch:
python3-lib389-2.1.3-4.el9_1.noarch.rpm

ppc64le:
389-ds-base-2.1.3-4.el9_1.ppc64le.rpm
389-ds-base-debuginfo-2.1.3-4.el9_1.ppc64le.rpm
389-ds-base-debugsource-2.1.3-4.el9_1.ppc64le.rpm
389-ds-base-libs-2.1.3-4.el9_1.ppc64le.rpm
389-ds-base-libs-debuginfo-2.1.3-4.el9_1.ppc64le.rpm
389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.ppc64le.rpm

s390x:
389-ds-base-2.1.3-4.el9_1.s390x.rpm
389-ds-base-debuginfo-2.1.3-4.el9_1.s390x.rpm
389-ds-base-debugsource-2.1.3-4.el9_1.s390x.rpm
389-ds-base-libs-2.1.3-4.el9_1.s390x.rpm
389-ds-base-libs-debuginfo-2.1.3-4.el9_1.s390x.rpm
389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.s390x.rpm

x86_64:
389-ds-base-2.1.3-4.el9_1.x86_64.rpm
389-ds-base-debuginfo-2.1.3-4.el9_1.x86_64.rpm
389-ds-base-debugsource-2.1.3-4.el9_1.x86_64.rpm
389-ds-base-libs-2.1.3-4.el9_1.x86_64.rpm
389-ds-base-libs-debuginfo-2.1.3-4.el9_1.x86_64.rpm
389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-0918
https://access.redhat.com/security/cve/CVE-2022-0996
https://access.redhat.com/security/cve/CVE-2022-2850
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY3PhHNzjgjWX9erEAQi3Lw/+Kp2fj71Eme7k3P5fYZon8pjEsHOaHuSz
FOTmU3hGViBe60UcUoyoERl2nbodmQ0yxozY4wz6H+TMHiTq1yj3LdiUQuZmOZMS
+BUBzSR24iyPaXbLoa1+NwSm2+QnQuD8Ch5E4YwNJNRcRIYP2yaVJdcNi7RLU0I7
aADq56AI4QX1D+0c1tSkybVTbgEpnNzABrvaapwD1eNwsVWaFJd46CZaf9WGt3ht
irr6PYHnyvoirvJndRsuuLgW2vJxhvI/6PQtOgM0SMyWWiIschFLlkelrjVsdQIH
f9J3Rk5kRCN7Kd9hKDIghsitB0ilod8gxvhyio6UzB9acbXj+a55J1nEjo2oalR8
psXHcFRemMiPTMEh/W68PdbhifTcxa85Z4H/iVtEDgpIugJ5+B0j0+hdnzm3dncT
IHsJVSayNuUqY04gpUhVsvEmzhVFogx9APJZmz4PhIaoGByX9Oti1t9IsqNENUVn
l0n8u4h3Az4eo4l6/PKaF3DrIVLXzuC5HXvU4NOW4VsW4aM7tfVIlDUDxr8FUhUE
8AKp+AThKmW2vFNTP9bnUNXQSMnKRFclO99w/f2SB+PjSb4IJzpIQ/QokXRQ8I2z
CUsrBtF1HQfwHPPV1fU2NvnLmtDEcxFX0kGgU11BaVSgoRpqrUpNPHmnQp9FpQUb
6ZLiLQ+itcM=
=dmbn
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY3Q5+skNZI30y1K9AQjsmg/+MV71gKPfbYef71MQf8V8C+s04xNf/6vv
nAuhUVp5jqzHQJhrK32TTXaxTsntzyCsFXdKW9THjdD1aGaubfa8PrA0poOEVP9W
e0q6s1WQkV4wNhmi5d8Jj9K1ysLzQlMXNjzr2DQfRYyij+rgXk7g5wGlTBvb7eKs
6MNDOErGOflV2LFKu9J6XDQvEWU2tIwCvhuWG0m9beFX488pVmEx45xntcG7N3aG
92i71AMx9YqGZvcXpZL3KIw/ykwss+8bKDqin2a/FbiJJZl1SNephKdHY6v58THN
bTgu3mRaoEn1D5FFVklu5c4ZhR17cY1/B0Iv93bG50cJlk5F6Rw9RftR7KGBqtQz
vFwgxm0szvvu+LzealzHm6QucU2N6kwpUxko5JqpnjElIcxF6gEqm8hzmg6rUVMa
UD1jMqlvctX9Y7njCoUQNlGqkNZTDgz7IPiqEbNwkSIblyzZlwBrnnAYqRP4/lJO
rs6IAp5hiU4PSz8i0ABQhLNbRZry02kIRB4dchfe7zpbR/N9E5QAh9L0sgqfPveH
/hy02wMVURL9NQNtkDK8Gme6seNUQMVp/E31ZmChehp0b3zdgxO3k1jW2OR9gPBs
fy8wWGvw9nK2oCqGApwudBJn6+x5w/puE20DSKDI9MtjAWqcxC+VDNohqiMXzSoN
eWWFDa1YQOU=
=xyFH
-----END PGP SIGNATURE-----