RHEA-2011:1711 - Product Enhancement Advisory

Topic

Updated 389-ds-base packages that fix several bugs and add various enhancements
are now available for Red Hat Enterprise Linux
6.

Description

The 389 Directory Server is an LDAPv3 compliant server. The base packages
include the Lightweight Directory Access Protocol (LDAP) server and
command-line utilities for server administration.

This update fixes the following bugs:

• If a server sent a response to an unbind request and the client simply

closed the connection, Directory Server 8.2 logged "Netscape Portable
Runtime error -5961 (TCP connection reset by peer.)". (BZ#720458)

• An incorrect SELinux context caused AVC errors in

/var/log/audit/audit.log. (BZ#752155)

• A number of memory leaks and performance errors were fixed. (BZ#697663,

BZ#700665, BZ#711533, BZ#711241, BZ#726136, BZ#700215).

• The DS could not restart after a new object class was created which used

the entryUSN attribute. (BZ#711266)

• The ns-slapd process segfaulted if suffix referrals were enabled.

(BZ#712167)

• A high volume of TCP traffic could cause the slapd process to quit

responding to clients. (BZ#711513)

• Attempting to delete a VLV index caused the server to hang. (BZ#714298)
• Connections to the DS by an RSA authentication server using simple paged

results by default would timeout. (BZ#720051)

• Running a simple paged search against a subtree with a host-based ACI

would hang the server. (BZ#735217)

• If the target attribute list for an ACI had syntax errors and more than

five attributes, the server crashed. (BZ#733443)

• It was not possible to set account lockout policies after upgrading from

RHDS 8.1. (BZ#734267)

• Adding an entry with an RDN containing a % caused the server to crash.

(BZ#720452)

• Only FIPS-supported ciphers can be used if the server is running in FIPS

mode. (BZ#709868)

• It is possible to disable SSLv3 and only allow TLS. (BZ#711265)
• If the changelog was encrypted and the certificate became corrupt, the

server crashed. (BZ#713317, BZ#713318)

• If the passwordisglobalpolicy attribute was enabled on a chained server,

a secure connection to the master failed. (BZ#733434)

• If a chained database was replicated, the server could segfault.

(BZ#714310)

• Editing a replication agreement to use SASL/GSS-API failed with GSS-API

errors. (BZ#694571)

• In replication, a msgid may not be sent to the right thread, which

caused "Bad parameter to an LDAP routine" errors. This causes failures to
propagate up and halt replication. (BZ#742611)

• Password changes were replicated among masters replication, but not to

consumers. (BZ#701057)

• If an entry was modified on RHDS and the corresponding entry was deleted

on the Windows side, the sync operation attempts to use the wrong entry.
(BZ#717066)

• Some changes were not properly synced over to RHDS from Windows.

(BZ#734831)

• RHDS entries were not synced over to Windows if the user's CN had a

comma. (BZ#726273)

• Intensive update loads on master servers could break the cache on the

consumer, causing it to crash. (BZ#718351)

• Syncing a multi-valued attribute could delete all the other instances of

that attribute when a new value was added. (BZ#699458)

• If a synced user subtree on Windows was deleted and then a user password

was changed on the RHDS, the DS would crash. (BZ#729817)

This update provides the following enhancements:

• The nsslapd-idlistscanlimit configuration attribute can be set

dynamically, instead of requiring a restart. (BZ#742382)

• Separate resource limits can be set for paged searches, independent of

resource limits for regular searches. (BZ#742661)

• The sudo schema has been updated. (BZ#720459)
• A new configuration attribute sets a different list of replicated

attributes for a total update versus an incremental update. (BZ#739959)

• A new configuration option allows the server to be started with an

expired certificate. (BZ#733440)

• New TLS/SSL error messages have been added to the replication error log

level. (BZ#720461)

Users are advised to upgrade to these updated 389-ds-base packages, which
resolve these issues and add these enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386

Fixes

• BZ - 694571 - Replica Installation logs scary GSSAPI errors
• BZ - 697663 - memory leak: entryusn value is leaked when an entry is deleted
• BZ - 699458 - windows sync can lose old multi-valued attribute values when a new value is added
• BZ - 700215 - ldclt core dumps
• BZ - 700665 - Linked attributes callbacks access free'd pointers after close
• BZ - 701057 - userpasswd not replicating
• BZ - 705172 - 389-ds should only be supported and supplied in channels for i386 and x86_64 Server distributions - RHEL 6.1 0day Advisory
• BZ - 711241 - memory leak found by reliab12
• BZ - 711265 - [RFE] Cannot disable SSLv3 and use TLS only
• BZ - 711266 - DS can not restart after create a new objectClass has entryusn attribute
• BZ - 711513 - slapd stops responding
• BZ - 711516 - Support upgrade from Red Hat Directory Server
• BZ - 711533 - Memory leak: when extra referrals configured
• BZ - 712167 - ns-slapd segfaults using suffix referrals
• BZ - 713317 - Cert renewal for attrcrypt and encchangelog
• BZ - 713318 - Cert renewal for attrcrypt and encchangelog
• BZ - 714298 - unresponsive LDAP service when deleting vlv on replica
• BZ - 714310 - Segmentation fault (core dumped) while doing Import in a Replication Setup.
• BZ - 717064 - rhds82 - incr update state stop_fatal_error "requires administrator action", with extop_result: 9
• BZ - 717066 - winsync uses old AD entry if new one not found
• BZ - 718351 - Intensive updates on masters could break the consumer's cache
• BZ - 720051 - RSA Authentication Server timeouts when using simple paged results on RHDS 8.2.
• BZ - 720452 - RDN with % can cause crashes or missing entries
• BZ - 720458 - Directory Server 8.2 logs "Netscape Portable Runtime error -5961 (TCP connection reset by peer.)" to error log whereas Directory Server 8.1 did not.
• BZ - 720459 - Sudo Schema is old and needs updating
• BZ - 720461 - Need TLS/SSL error messages in repl status and errors log
• BZ - 725912 - Instance upgrade fails when upgrading 389-ds-base package
• BZ - 726136 - Directory server hangs during unit tests
• BZ - 726273 - Winsync: DS entries fail to sync to AD, if the User's CN entry contains a comma
• BZ - 729816 - upgrade DB to upgrade from entrydn to entryrdn format is not working.
• BZ - 729817 - delete user subtree container in AD + modify password in DS == DS crash
• BZ - 733440 - [RFE] add option to allow server to start with an expired certificate
• BZ - 733442 - Ignore an error 32 in this case since we're adding a new AutoMember definition
• BZ - 733443 - large targetattr list with syntax errors cause server to crash or hang
• BZ - 734267 - upgradednformat failed to add RDN value - subtree and user account lockout policies implemented?
• BZ - 734831 - WinSync: Certain entries in DS are not updated properly when using WinSync API
• BZ - 735217 - simple paged search + ip/dns based ACI hangs server
• BZ - 736137 - renaming a managed entry does not update mepmanagedby
• BZ - 739959 - [RFE] Allow separate fractional attrs to be defined for incremental and total protocols
• BZ - 742382 - [RFE] allow nsslapd-idlistscanlimit to be set dynamically and per-user

CVEs

(none)

References

(none)