RHSA-2010:0590 - Security Advisory
Low: Red Hat Directory Server security and enhancement update
Security Advisory: Low
Updated Red Hat Directory Server and related packages that fix one security
issue, multiple bugs, and add enhancements are now available as Red Hat
Directory Server 8.2.
The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Red Hat Directory Server is an LDAPv3-compliant directory server. The
redhat-ds-base package includes the LDAP server and command line utilities
for server administration.
Directory Server setup scripts created cache files, containing passwords
for the Directory and Administration Server administrative accounts, with
weak file permissions. A local user could use this flaw to obtain
authentication credentials for the administrative accounts. (CVE-2010-2241)
This update also adds the following enhancements:
- Entry USN - The Entry USN Plug-in provides a way for LDAP clients to know
that something in the database has changed by generating a global update
sequence number (USN) for every write operation.
- Linked Attributes - The new Linked Attributes Plug-in uses the DN value
of a known attribute to trace its way to the referenced entry, and then it
adds a reciprocal value, pointing back to the first entry.
- Bitwise Search - This release adds support for bit field values in LDAP
- Dereference Control - This release adds server support for the
dereference control in LDAP searches. A dereferencing search tracks back
over cross-references in an entry and returns information about the
- PAM Pass-through Plug-in - The PAM PTA plug-in allows Directory Server to
leverage a network's existing PAM service to authenticate users.
- SMD5 Password Storage Scheme - Passwords can now be stored with the
salted MD5 password hash.
- Syntax Checking - A new syntax validation plug-in verifies that the value
given for an attribute in an operation matches the required syntax for that
- Anonymous Resource Limits - A new server configuration attribute enables
the Directory Server to apply resource limits to anonymous binds.
- Anonymous Access Switch - A new server configuration attribute tells the
Directory Server to disable anonymous binds for added security.
- Secure Binds Switch - A new server configuration attribute tells the
Directory Server to require a secure connection of some kind for any simple
- SSF Restrictions - A new server configuration attribute allows
administrators to set a minimum Security Strength Factor (SSF) for all
connections to the server, which can require a secure connection.
- Mixed SASL/TLS Connections - Now, the server can have both SASL and TLS
- Setting Plug-in Load Orders - A new plug-in configuration attribute sets
the load order preference for the plug-in, anywhere from 1 to 99. This
effectively sets the load order for plug-ins of the same type.
- Named Pipe Log Script - A new directory script allows logging data to be
sent to a named pipe instead of the standard server logs.
- Simple Paged Results - This release adds server support for results of
LDAP searches to be broken into pages.
- New Matching Rule and Attribute Syntaxes - This release adds support for
several new matching rules and 11 new attribute syntaxes.
These packages also contain many bug fixes for major features in Red Hat
Directory Server, including replication, synchronization, setup and
migration, command line tools, the Java console, and the Administration
Server. Refer to the Red Hat Directory Server 8.2 Release Notes for further
All Red Hat Directory Server users should upgrade to Red Hat Directory
Server 8.2, which resolves these issues and adds these enhancements.
Users running Red Hat Directory Server should consult the Red Hat Directory
Server 8.2 Release Notes for installation and upgrade instructions:
- Red Hat Directory Server 8 x86_64
- Red Hat Directory Server 8 i386
- BZ - 608032 - CVE-2010-2241 redhat-ds: setup script insecure .inf file permissions
Red Hat Directory Server 8