[SECURITY] [DLA 1428-1] 389-ds-base security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1428-1] 389-ds-base security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sun, 15 Jul 2018 22:09:20 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.2.02.1807152208130.28017@jupiter.server.alteholz.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : 389-ds-base
Version        : 1.3.3.5-4+deb8u1
CVE ID         : CVE-2015-1854 CVE-2017-15134 CVE-2018-1054 CVE-2018-1089
                 CVE-2018-10850


CVE-2015-1854
     A flaw was found while doing authorization of modrdn operations.
     An unauthenticated attacker able to issue an ldapmodrdn call to
     the directory server could perform unauthorized modifications
     of entries in the directory server.

CVE-2017-15134
     Improper handling of a search filter in slapi_filter_sprintf()
     in slapd/util.c can lead to remote server crash and denial
     of service.

CVE-2018-1054
     When read access on <attribute_name> is enabled, a flaw in
     SetUnicodeStringFromUTF_8 function in collate.c, can lead to
     out-of-bounds memory operations.
     This might result in a server crash, caused by unauthorized
     users.

CVE-2018-1089
     Any user (anonymous or authenticated) can crash ns-slapd with a
     crafted ldapsearch query with very long filter value.

CVE-2018-10850
     Due to a race condition the server could crash in turbo mode
     (because of high traffic) or when a worker reads several requests
     in the read buffer (more_data). Thus an anonymous attacker could
     trigger a denial of service.


For Debian 8 "Jessie", these problems have been fixed in version
1.3.3.5-4+deb8u1.

We recommend that you upgrade your 389-ds-base packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJbS6nwXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHInMP/2VO9FnlmDFFCEeBSwU1Z7sP
uXPaHrAcx0dVEjFEERVZLK1lHCU37+zpOH3dvETW4HztDeDAWyFlo+kgVmwkujoz
mWRNgYHF16H/Ip3OJdr5wdOqDDqq1lS8jPGe70AQ60xJ1rIEGTq0PfjkfQXTxrpJ
HFekD0jGXW9B91lENUILjfSyR2oQ6L74gSwGxMqMTNNpGqe5QkxDTVFtDfDJKjGB
+fPcJ5cFgveSQkNZ+eoO8SLf3+fUXGI2uN9Zjz9iLvv5L31+BbrL4YeV3W/v03ha
nj4Nwsc6hNE/8NrhSlsvTcbBctCVdc6EZxnJQiz0nndiHjMltC83IbPwxFfnBiGq
6aEHxV4wgG2FEtSi/kT/RKQ0WTqvwDRqc/aOz2QiG9tT9Pj7hrb9okcOY+UslK9/
MhFf40s2LNeENYxYKPitdOlMtEDGap/rawKFfsaNS4mT6aRnuLH0ddEXe3oB2WiN
VgKKdLwLnViSbXfpCCkrd9q+uLYKg8IaGbkt1Ev1Xvwyo3iap6nP+nwNjM/lj4RE
/MizrsyGs1ISJqzStzNH1syAJifDW3HGU3beC9zkBwgFONEpYjL29QiR3OaZuo3o
6EzY8fWGFyx/8Jfe3yv1VDnGoAPMwTAh/ckWBruIgs1Q5aP6UvRBNSgq31W24zvD
LYKsrjNRHAvPVfqdaCPz
=pcH/
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA-1427-1] znc security update
Next by Date: [SECURITY] [DLA 1429-1] sssd security update
Previous by thread: [SECURITY] [DLA-1427-1] znc security update
Next by thread: [SECURITY] [DLA 1429-1] sssd security update
Index(es):
- Date
- Thread