RHBA-2015:1326 - Bug Fix Advisory

Topic

Updated 389-ds-base packages that fix multiple bugs and add various enhancements
are now available for Red Hat Enterprise Linux 6.

Description

The 389 Directory Server is an LDAPv3 compliant server. The base packages
include the LDAP server and command-line utilities for server administration.

This update fixes the following bugs:

• When a suffix-mapping tree entry was created without the corresponding

back-end database, the server failed to start. This bug has been fixed.
(BZ#1193243)

• If a value of a password policy attribute was deleted, it caused a null

reference and an unexpected termination of the server. These crashes no longer
occur. (BZ#1145072)

• This update fixes a memory leak caused by a previous patch for BZ#1080185.

(BZ#1138745)

• If a Virtual List View search fails with the timelimit or adminlimit

parameters exceeded, the allocated memory of the IDL no longer leaks.
(BZ#1048987)

• If a search for "passwordAdminDN" in a "cn=config" entry returns a

non-existing value, a memory leak no longer occurs. (BZ#1162704)

• Rebuilding the Class of Service (CoS) cache no longer causes a memory leak.

(BZ#1169975)

• A bug in the nested CoS, when the closest above password policy was sometimes

not selected as expected, has been fixed. (BZ#1115960)

• When a SASL bind operation fails and Account Lockout is enabled, the Root DSE

entry no longer gets incorrectly updated with passwordRetryCount. (BZ#1169974)

• Password restrictions and syntax checks for Directory Manager and password

administrators are now properly applied so that these roles are not affected by
them. (BZ#1145379)

• Performance degradation with searches in large groups has been fixed by

introducing normalized DN cache. (BZ#1175868, BZ#1166313)

• Due to a known vulnerability in SSLv3, this protocol is now disabled by

default. (BZ#1153739)

• This update adds the flow control so that unbalanced process speed between a

supplier and a consumer does not cause replication to become unresponsive.
(BZ#1207024)

• A bug to replicate an "add: userPassword" operation has been fixed.

(BZ#1171308)

• A bug in the Windows Sync plug-in code caused AD-only member values

to be accidentally removed. Now, local and remote entries are handled
properly, preventing data loss. (BZ#1145374, BZ#1183820)

• Performing a schema reload sometimes caused a running search to fail to

return results. Now, the old schema is not removed until the reload is
complete. The search results are no longer corrupted. (BZ#1144092)

• The Berkeley DB library terminated unexpectedly when the Directory Server

simultaneously opened an index file and performed a search on the "cn=monitor"
subtree. The two operations are now mutually exclusive, which prevents the
crash. (BZ#1203338)

• When simple paged results requests were sent to the Directory Server

asynchronously and then abandoned immediately, the search results could leak.
Also, the implementation of simple paged results was not thread-safe. This
update fixes the leak and modifies the code to be thread-safe. (BZ#1223068,
BZ#1228402)

In addition, this update adds the following enhancements:

• A new memberOf plug-in configuration attribute memberOfSkipNested has been

added. This attribute allows you to skip the nested group check, which improves
performance of delete operations. (BZ#1167976)

• The Directory Server now supports TLS versions supported by the NSS library.

(BZ#1118285)

• The logconv.pl utility has been updated to include information about the

SSL/TLS versions in the access log. (BZ#1193241)

Users of 389-ds-base are advised to upgrade to these updated packages, which fix
these bugs and add these enhancements. After installing this update, the 389
server service will be restarted automatically.

Solution

Before applying this update, make sure all previously released errata relevant
to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386

Fixes

• BZ - 1138745 - Memory leak during Reliab15 execution
• BZ - 1145374 - WinSync - manual replica refresh removes AD-only member values from DS and AD in groups
• BZ - 1145379 - Adding an entry with an invalid password as rootDN is incorrectly rejected
• BZ - 1150368 - Unable to disable Null Ciphers on 389-Directory-Server using nsSSL3Ciphers in Ldif
• BZ - 1153739 - Disable SSL v3, by default.
• BZ - 1167976 - [RFE] memberOf - add option to skip nested group lookups during delete operations
• BZ - 1169974 - Account lockout attributes incorrectly updated after failed SASL Bind
• BZ - 1169975 - COS memory leak when rebuilding the cache
• BZ - 1170706 - cos_cache_build_definition_list does not stop during server shutdown
• BZ - 1171308 - replication not working for "add: userPassword" LDAP operation
• BZ - 1171357 - Bind DN tracking unable to write to internalModifiersName without special permissions
• BZ - 1174892 - Creating a glue fails if one above level is a conflict or missing
• BZ - 1179763 - COS cache doesn't properly mark vattr cache as invalid when there are multiple suffixes
• BZ - 1183820 - Windows Sync accidentally cleared raw_entry
• BZ - 1185025 - ldclt needs to support SSL Version range
• BZ - 1193235 - Fix coverity issues
• BZ - 1193241 - logconv.pl -- support parsing/showing/reporting different protocol versions
• BZ - 1193243 - ldbm_usn_init: Valgrind reports Invalid read / SIGSEGV
• BZ - 1202062 - Non tombstone entry which dn starting with "nsuniqueid=...," cannot be deleted
• BZ - 1202502 - memory leak in new_passwdPolicy
• BZ - 1210996 - TLS1 can't be turned off
• BZ - 1211006 - start/stop/restart-dirsrv utilities should ignore admin-serv directory
• BZ - 1211077 - nsslapd-ndn-cache-enabled returns 1 or 0 instead of "on" or "off"
• BZ - 1212657 - Password is not correctly passed to perl command line tools if it contains shell special characters.
• BZ - 1214074 - Need a way to abort a cleanallruv abort task
• BZ - 1219208 - Remove cleanAllRUV task limit of 4
• BZ - 1219218 - Improve CleanAllRUV task logging
• BZ - 1219990 - bind on db chained to AD returns err=32
• BZ - 1223068 - Regression introduced by the simple paged results fixes.
• BZ - 1228402 - Individual abandoned simple paged results request has no chance to be cleaned up

CVEs

(none)

References

(none)