-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0474
                        389-ds:1.4 security update
                             11 February 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           389-ds:1.4 module
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 8
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-14824  

Reference:         ESB-2019.4488
                   ESB-2019.4108

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:0464

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: 389-ds:1.4 security update
Advisory ID:       RHSA-2020:0464-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:0464
Issue date:        2020-02-10
CVE Names:         CVE-2019-14824 
=====================================================================

1. Summary:

An update for the 389-ds:1.4 module is now available for Red Hat Enterprise
Linux 8.0 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.0) - noarch, ppc64le, x86_64

3. Description:

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The
base packages include the Lightweight Directory Access Protocol (LDAP)
server and command-line utilities for server administration.

Security Fix(es):

* 389-ds-base: Read permission check bypass via the deref plugin
(CVE-2019-14824)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1747448 - CVE-2019-14824 389-ds-base: Read permission check bypass via the deref plugin

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.0):

Source:
389-ds-base-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.src.rpm

noarch:
python3-lib389-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.noarch.rpm

ppc64le:
389-ds-base-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.ppc64le.rpm
389-ds-base-debuginfo-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.ppc64le.rpm
389-ds-base-debugsource-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.ppc64le.rpm
389-ds-base-devel-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.ppc64le.rpm
389-ds-base-legacy-tools-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.ppc64le.rpm
389-ds-base-legacy-tools-debuginfo-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.ppc64le.rpm
389-ds-base-libs-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.ppc64le.rpm
389-ds-base-libs-debuginfo-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.ppc64le.rpm
389-ds-base-snmp-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.ppc64le.rpm
389-ds-base-snmp-debuginfo-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.ppc64le.rpm

x86_64:
389-ds-base-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.x86_64.rpm
389-ds-base-debuginfo-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.x86_64.rpm
389-ds-base-debugsource-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.x86_64.rpm
389-ds-base-devel-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.x86_64.rpm
389-ds-base-legacy-tools-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.x86_64.rpm
389-ds-base-legacy-tools-debuginfo-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.x86_64.rpm
389-ds-base-libs-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.x86_64.rpm
389-ds-base-libs-debuginfo-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.x86_64.rpm
389-ds-base-snmp-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.x86_64.rpm
389-ds-base-snmp-debuginfo-1.4.0.20-10.1.module+el8.0.0+4597+364a3066.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-14824
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXkG039zjgjWX9erEAQi81g//V3KyJFNRgCTDAG2qqjZ4lOvzOWn38BCk
YU1FNQr7CqLP/OLPWRytFWPeHsNK48s3Ek5AyBgy1F564Yg5ihF5F64zeg6msRQ2
bFjBLDy+iDpig4eBcSTWmTYjnXp+gMPahkWUmykEeIB2X7eYIVpgaKbmuUIfaWTa
Mz/KzW+AtIVBhpzq7bnch2lyGjsc4u4wlC4TcSLUw/+dab6sdXu5trFRPNZ5v5bq
7SggknH4HpUvYrxyaWcuP7xcq6j+xSlQgtaNq+k5ExPHvPXw84LkvFuF5X5A1H+k
snHHnHaGCA4UJ0eDYqnwC9cqe6jZcBhU1gdNQRmkTeJBRpoGHyCYRdbBd5dH5Zq7
7+qtHuNcRFalqPwmvtKAlDtLkZEdSWbS8oDA00UMhmS8ND7ut4EwZ46uFXUSXeRE
l38sNoarldMud4FZc+m04Fwis4fiKYLtWvzY44IRwbWZg6RY/nx8RdEsyJLYfC7a
tHD8hOol4p2UPhYyrBEkiV3thhS2tFndsR2YS1IDawh9CWNKzlqoOWx1P9yhmFvg
Lj3HWoXcXhsfTIMW7bSLRGbKDT0UtdmVNLxAewLN4TlqnOwX86s3pfgoiVOURINO
9cAXnaVnuJIQFSBDetjWxjFnptsY9C03HLK9+Ik1pINItl6OdTn+6Nzj2MCreZ7J
0wupZUcDUI8=
=cqFp
- -----END PGP SIGNATURE-----

- --
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXkIpb2aOgq3Tt24GAQjofg//e2+QgfuF+pELsKqt7tfmsTg7yq36PQGH
WIQtXpCcDqkPIwmrNG2DUIW/UQSrdw7+HX5AiXG+JD4u7KptDHJjEbIdwef4mpI4
Be+sGFYjoJMxUxtL6j45PIgmlqPUIJjr4AFyk4mny5FdyWIk7OldzdDgyy48zDZY
5+63QD2tN2oSbpDa1Gsiq35EEXV/nZtx56/822aigZTUCCYge/iz2coSdlygRgK9
3B5a0Gvy3SrGk+gupi01a54WVp8rhO4+SMbwgaeChx3j4FpsbE1wRLAGv9MxqYO/
v5sLWNNOmb7xHGiJ3ctIUn89nxppGuJrd7lb5PsulpYMMYcmNnSqQ7Eh1HBz06CC
2OS6uM0m975+6lgtYMiXRixGlnhmxHGtrUzVw+PariOyh5hq+PvlywD5J2qDO8AR
scAMmgp8m2+/rvPxZw4+thpVuGAtLbgFKtkufnp3g0JtHJRJSENch5Y7KD57ENlW
clrIwoIKUpDlyTlcjiSaAWFJukL4i4LOkOpp7JEVy6pHFe1TZMYLkLQ+Wzdi8giY
+1ueU/O5iSUT8829A/b4Z39e6Y5TsbmD3OFIfqxBvkh4znE6GcOcff3hduH+lT1O
F39zqsfMovdsOIYZ9MsbD2Qx5Nkq7QZxuMenDoi1B6ZYDM7wNlm3t1vYqD/NvgWH
env2DhOkYqA=
=HsCa
-----END PGP SIGNATURE-----