RHSA-2015:0416 - Security Advisory

Topic

Updated 389-ds-base packages that fix two security issues, several bugs,
and add various enhancements are now available for Red Hat Enterprise
Linux 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

An information disclosure flaw was found in the way the 389 Directory Server stored information in the Changelog that is exposed via the 'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain cases use this flaw to read data from the Changelog, which could include sensitive information such as plain-text passwords.
(CVE-2014-8105)

It was found that when the nsslapd-unhashed-pw-switch 389 Directory Server configuration option was set to "off", it did not prevent the writing of unhashed passwords into the Changelog. This could potentially allow an authenticated user able to access the Changelog to read sensitive information. (CVE-2014-8112)

The CVE-2014-8105 issue was discovered by Petr Špaček of the Red Hat Identity Management Engineering Team, and the CVE-2014-8112 issue was discovered by Ludwig Krispenz of the Red Hat Identity Management Engineering Team.

Enhancements:

• Added new WinSync configuration parameters: winSyncSubtreePair for synchronizing multiple subtrees, as well as winSyncWindowsFilter and winSyncDirectoryFilter for synchronizing restricted sets by filters. (BZ#746646)
• It is now possible to stop, start, or configure plug-ins without the need to restart the server for the change to take effect. (BZ#994690)
• Access control related to the MODDN and MODRDN operations has been updated: the source and destination targets can be specified in the same access control instruction. (BZ#1118014)
• The nsDS5ReplicaBindDNGroup attribute for using a group distinguished name in binding to replicas has been added. (BZ#1052754)
• WinSync now supports range retrieval. If more than the MaxValRange number of attribute values exist per attribute, WinSync synchronizes all the attributes to the directory server using the range retrieval. (BZ#1044149)
• Support for the RFC 4527 Read Entry Controls and RFC 4533 Content Synchronization Operation LDAP standards has been added. (BZ#1044139, BZ#1044159)
• The Referential Integrity (referint) plug-in can now use an alternate configuration area. The PlugInArg plug-in configuration now uses unique configuration attributes. Configuration changes no longer require a server restart. (BZ#1044203)
• The logconv.pl log analysis tool now supports gzip, bzip2, and xz compressed files and also TAR archives and compressed TAR archives of these files. (BZ#1044188)
• Only the Directory Manager could add encoded passwords or force users to change their password after a reset. Users defined in the passwordAdminDN attribute can now also do this. (BZ#1118007)
• The "nsslapd-memberofScope" configuration parameter has been added to the MemberOf plug-in. With MemberOf enabled and a scope defined, moving a group out of scope with a MODRDN operation failed. Moving a member entry out of scope now correctly removes the memberof value. (BZ#1044170)
• The alwaysRecordLoginAttr attribute has been addded to the Account Policy plug-in configuration entry, which allows to distinguish between an attribute for checking the activity of an account and an attribute to be updated at successful login. (BZ#1060032)
• A root DSE search, using the ldapsearch command with the '-s base -b ""' options, returns only the user attributes instead of the operational attributes. The "nsslapd-return-default" option has been added for backward compatibility. (BZ#1118021)
• The configuration of the MemberOf plug-in can be stored in a suffix mapped to a back-end database, which allows MemberOf configuration to be replicated. (BZ#1044205)
• Added support for the SSL versions from the range supported by the NSS library available on the system. Due to the POODLE vulnerability, SSLv3 is disabled by default even if NSS supports it. (BZ#1044191)

Solution

All 389-ds-base users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues and add these
enhancements. After installing this update, the 389 server service will be restarted automatically.

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.7 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.5 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.4 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.3 x86_64
• Red Hat Enterprise Linux Server from RHUI 7 x86_64
• Red Hat Enterprise Linux Server - AUS 7.7 x86_64
• Red Hat Enterprise Linux Server - AUS 7.6 x86_64
• Red Hat Enterprise Linux Server - AUS 7.4 x86_64
• Red Hat Enterprise Linux Server - AUS 7.3 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for Scientific Computing 7 x86_64
• Red Hat Enterprise Linux Server - TUS 7.7 x86_64
• Red Hat Enterprise Linux Server - TUS 7.6 x86_64
• Red Hat Enterprise Linux Server - TUS 7.3 x86_64
• Red Hat Enterprise Linux EUS Compute Node 7.7 x86_64
• Red Hat Enterprise Linux EUS Compute Node 7.6 x86_64
• Red Hat Enterprise Linux EUS Compute Node 7.5 x86_64
• Red Hat Enterprise Linux EUS Compute Node 7.4 x86_64
• Red Hat Enterprise Linux EUS Compute Node 7.3 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 7.7 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 7.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 7.4 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 7.3 x86_64

Fixes

• BZ - 881372 - nsDS5BeginReplicaRefresh attribute accepts any value and it doesn't throw any error when server restarts.
• BZ - 920597 - Possible to add invalid ACI value
• BZ - 921162 - Possible to add nonexistent target to ACI
• BZ - 923799 - if nsslapd-cachememsize set to the number larger than the RAM available, should result in proper error message.
• BZ - 924937 - Attribute "dsOnlyMemberUid" not allowed when syncing nested posix groups from AD with posixWinsync
• BZ - 951754 - Self entry access ACI not working properly
• BZ - 975176 - Non-directory manager can change the individual userPassword's storage scheme
• BZ - 982597 - Some attributes in cn=config should not be multivalued
• BZ - 994690 - [RFE] Allow dynamically adding/enabling/disabling/removing plugins without requiring a server restart
• BZ - 1012991 - errorlog-level 16384 is listed as 0 in cn=config
• BZ - 1013736 - Enabling/Disabling DNA plug-in throws "ldap_modify: Server Unwilling to Perform (53)" error
• BZ - 1014380 - setup-ds.pl doesn't lookup the "root" group correctly
• BZ - 1024541 - start dirsrv after ntpd
• BZ - 1029959 - Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry
• BZ - 1031216 - add dbmon.sh
• BZ - 1044133 - Indexed search with filter containing '&' and "!" with attribute subtypes gives wrong result
• BZ - 1044134 - [RFE] should set LDAP_OPT_X_SASL_NOCANON to LDAP_OPT_ON by default
• BZ - 1044135 - [RFE] make connection buffer size adjustable
• BZ - 1044137 - [RFE] posix winsync should support ADD user/group entries from DS to AD
• BZ - 1044138 - mep_pre_op: Unable to fetch origin entry
• BZ - 1044139 - [RFE] Support RFC 4527 Read Entry Controls
• BZ - 1044140 - Allow search to look up 'in memory RUV'
• BZ - 1044141 - MMR stress test with dna enabled causes a deadlock
• BZ - 1044142 - winsync doesn't sync DN valued attributes if DS DN value doesn't exist
• BZ - 1044143 - modrdn + NSMMReplicationPlugin - Consumer failed to replay change
• BZ - 1044144 - resurrected entry is not correctly indexed
• BZ - 1044146 - Add a warning message when a connection hits the max number of threads
• BZ - 1044147 - 7-bit check plugin does not work for userpassword attribute
• BZ - 1044148 - The backend name provided to bak2db is not validated
• BZ - 1044149 - [RFE] Winsync should support range retrieval
• BZ - 1044150 - 7-bit checking is not necessary for userPassword
• BZ - 1044151 - With SeLinux, ports can be labelled per range. setup-ds.pl or setup-ds-admin.pl fail to detect already ranged labelled ports
• BZ - 1044152 - ChainOnUpdate: "cn=directory manager" can modify userRoot on consumer without changes being chained or replicated. Directory integrity compromised.
• BZ - 1044153 - mods optimizer
• BZ - 1044154 - multi master replication allows schema violation
• BZ - 1044156 - DS crashes with some 7-bit check plugin configurations
• BZ - 1044157 - Some updates of "passwordgraceusertime" are useless when updating "userpassword"
• BZ - 1044159 - [RFE] Support 'Content Synchronization Operation' (SyncRepl) - RFC 4533
• BZ - 1044160 - remove-ds.pl should remove /var/lock/dirsrv
• BZ - 1044162 - enhance retro changelog
• BZ - 1044163 - updates to ruv entry are written to retro changelog
• BZ - 1044164 - Password administrators should be able to violate password policy
• BZ - 1044168 - Schema replication between DS versions may overwrite newer base schema
• BZ - 1044169 - [RFE] ACIs do not allow attribute subtypes in targetattr keyword
• BZ - 1044170 - [RFE] Allow memberOf suffixes to be configurable
• BZ - 1044171 - [RFE] Allow referential integrity suffixes to be configurable
• BZ - 1044172 - Plugin library path validation prevents intentional loading of out-of-tree modules
• BZ - 1044173 - [RFE] make referential integrity configuration more flexible
• BZ - 1044177 - allow configuring changelog trim interval
• BZ - 1044179 - objectclass may, must lists skip rest of objectclass once first is found in sup
• BZ - 1044180 - memberOf on a user is converted to lowercase
• BZ - 1044181 - report unindexed internal searches
• BZ - 1044183 - With 1.3.04 and subtree-renaming OFF, when a user is deleted after restarting the server, the same entry can't be added
• BZ - 1044185 - dbscan on entryrdn should show all matching values
• BZ - 1044187 - [RFE] logconv.pl - add on option for a minimum etime for unindexed search stats
• BZ - 1044188 - [RFE] Recognize compressed log files
• BZ - 1044191 - [RFE] support TLSv1.1 and TLSv1.2, if supported by NSS
• BZ - 1044193 - default nsslapd-sasl-max-buffer-size should be 2MB
• BZ - 1044194 - Complex filter in a search request doen't work as expected.
• BZ - 1044196 - Automember plug-in should treat MODRDN operations as ADD operations
• BZ - 1044198 - Replication of the schema may overwrite consumer 'attributetypes' even if consumer definition is a superset
• BZ - 1044202 - db2bak.pl issue when specifying non-default directory
• BZ - 1044203 - [RFE] Allow referint plugin to use an alternate config area
• BZ - 1044205 - [RFE] Allow memberOf to use an alternate config area
• BZ - 1044210 - idl switch does not work
• BZ - 1044211 - [RFE] make old-idl tunable
• BZ - 1044212 - IDL-style can become mismatched during partial restoration
• BZ - 1044213 - backend performance - introduce optimization levels
• BZ - 1044215 - using transaction batchval violates durability
• BZ - 1044216 - examine replication code to reduce amount of stored state information
• BZ - 1048980 - 7-bit check plugin not checking MODRDN operation
• BZ - 1049030 - Windows Sync group issues
• BZ - 1052751 - Page control does not work if effective rights control is specified
• BZ - 1052754 - [RFE] Allow nsDS5ReplicaBindDN to be a group DN
• BZ - 1057803 - logconv errors when search has invalid bind dn
• BZ - 1061060 - betxn: retro changelog broken after cancelled transaction
• BZ - 1063990 - single valued attribute replicated ADD does not work
• BZ - 1064006 - Size returned by slapi_entry_size is not accurate
• BZ - 1064986 - Replication retry time attributes cannot be added
• BZ - 1067090 - Missing warning for invalid replica backoff configuration
• BZ - 1072032 - Updating nsds5ReplicaHost attribute in a replication agreement fails with error 53
• BZ - 1074306 - Under heavy stress, failure of turning a tombstone into glue makes the server hung
• BZ - 1074447 - Part of DNA shared configuration is deleted after server restart
• BZ - 1076729 - Continuous add/delete of an entry in MMR setup causes entryrdn-index conflict
• BZ - 1077884 - ldap/servers/slapd/back-ldbm/dblayer.c: possible minor problem with sscanf
• BZ - 1077897 - Memory leak with proxy auth control
• BZ - 1079099 - Simultaneous adding a user and binding as the user could fail in the password policy check
• BZ - 1080186 - Creating a glue fails if one above level is a conflict or missing
• BZ - 1082967 - attribute uniqueness plugin fails when set as a chaining component
• BZ - 1086890 - empty modify returns LDAP_INVALID_DN_SYNTAX
• BZ - 1086902 - mem leak in do_bind when there is an error
• BZ - 1086904 - mem leak in do_search - rawbase not freed upon certain errors
• BZ - 1086908 - Performing deletes during tombstone purging results in operation errors
• BZ - 1090178 - #481 breaks possibility to reassemble memberuid list
• BZ - 1092099 - A replicated MOD fails (Unwilling to perform) if it targets a tombstone
• BZ - 1092342 - nsslapd-ndn-cache-max-size accepts any invalid value.
• BZ - 1092648 - Negative value of nsSaslMapPriority is not reset to lowest priority
• BZ - 1097004 - Problem with deletion while replicated
• BZ - 1098654 - db2bak.pl error with changelogdb
• BZ - 1099654 - Normalization from old DN format to New DN format doesnt handel condition properly when there is space in a suffix after the seperator operator.
• BZ - 1108298 - Rebase 389-ds-base to 1.3.3
• BZ - 1108405 - find a way to remove replication plugin errors messages "changelog iteration code returned a dummy entry with csn %s, skipping ..."
• BZ - 1108407 - managed entry plugin fails to update managed entry pointer on modrdn operation
• BZ - 1108872 - Logconv.pl with an empty access log gives lots of errors
• BZ - 1108874 - logconv.pl memory continually grows
• BZ - 1108881 - rsearch filter error on any search filter
• BZ - 1108895 - [RFE] CLI report to monitor replication
• BZ - 1108902 - rhds91 389-ds-base-1.2.11.15-31.el6_5.x86_64 crash in db4 __dbc_get_pp env = 0x0 ?
• BZ - 1108909 - single valued attribute replicated ADD does not work
• BZ - 1109334 - 389 Server crashes if uniqueMember is invalid syntax and memberOf plugin is enabled.
• BZ - 1109336 - Parent numsubordinate count can be incorrectly updated if an error occurs
• BZ - 1109339 - Nested tombstones become orphaned after purge
• BZ - 1109354 - Tombstone purging can crash the server if the backend is stopped/disabled
• BZ - 1109357 - Coverity issue in 1.3.3
• BZ - 1109364 - valgrind - value mem leaks, uninit mem usage
• BZ - 1109375 - provide default syntax plugin
• BZ - 1109378 - Environment variables are not passed when DS is started via service
• BZ - 1111364 - Updating winsync one-way sync does not affect the behaviour dynamically
• BZ - 1112824 - Broken dereference control with the FreeIPA 4.0 ACIs
• BZ - 1113605 - server restart wipes out index config if there is a default index
• BZ - 1115177 - attrcrypt_generate_key calls slapd_pk11_TokenKeyGenWithFlags with improper macro
• BZ - 1117021 - Server deadlock if online import started while server is under load
• BZ - 1117975 - paged results control is not working in some cases when we have a subsuffix.
• BZ - 1117979 - harden the list of ciphers available by default
• BZ - 1117981 - Fix various typos in manpages & code
• BZ - 1117982 - Fix hyphens used as minus signed and other manpage mistakes
• BZ - 1118002 - server crashes deleting a replication agreement
• BZ - 1118006 - [RFE] forcing passwordmustchange attribute by non-cn=directory manager
• BZ - 1118007 - [RFE] Make it possible for privileges to be provided to an admin user to import an LDIF file containing hashed passwords
• BZ - 1118014 - [RFE] Enhance ACIs to have more control over MODRDN operations
• BZ - 1118021 - [RFE] Don't return all attributes in rootdse without explicit request
• BZ - 1118032 - Schema Replication Issue
• BZ - 1118043 - Failed deletion of aci: no such attribute
• BZ - 1118048 - If be_txn plugin fails in ldbm_back_add, adding entry is double freed.
• BZ - 1118051 - Add switch to disable pre-hashed password checking
• BZ - 1118054 - Make ldbm_back_seq independently support transactions
• BZ - 1118055 - Add operations rejected by betxn plugins remain in cache
• BZ - 1118057 - online import crashes server if using verbose error logging
• BZ - 1118059 - [RFE] add fixup-memberuid.pl script
• BZ - 1118060 - winsync plugin modify is broken
• BZ - 1118066 - [RFE] memberof scope: allow to exclude subtrees
• BZ - 1118069 - 389-ds production segfault: __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:144
• BZ - 1118074 - ds logs many "SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN plugin returned error" messages
• BZ - 1118076 - ds logs many "Operation error fetching Null DN" messages
• BZ - 1118077 - Improve import logging and abort handling
• BZ - 1118079 - Multi master replication initialization incomplete after restore of one master
• BZ - 1118080 - Don't add unhashed password mod if we don't have an unhashed value
• BZ - 1118081 - Investigate betxn plugins to ensure they return the correct error code
• BZ - 1118082 - The error result text message should be obtained just prior to sending result
• BZ - 1139882 - coverity defects found in 1.3.3.x
• BZ - 1140888 - Broken dereference control with the FreeIPA 4.0 ACIs
• BZ - 1145846 - 389-ds 1.3.3.0 does not adjust cipher suite configuration on upgrade, breaks itself and pki-server: "Cipher suite fortezza is not available in NSS 3.17" , "Cannot communicate securely with peer: no common encryption algorithm(s)."
• BZ - 1150206 - result of dna_dn_is_shared_config is incorrectly used
• BZ - 1150694 - Encoding of SearchResultEntry is missing tag
• BZ - 1150695 - ldbm_back_modify SLAPI_PLUGIN_BE_PRE_MODIFY_FN does not return even if one of the preop plugins fails.
• BZ - 1151287 - dynamically added macro aci is not evaluated on the fly
• BZ - 1153737 - Disable SSL v3, by default.
• BZ - 1156607 - Crash in entry_add_present_values_wsi_multi_valued
• BZ - 1162997 - Directory Server crashes while trying to perform export task for automember plugin with dynamic plugin on.
• BZ - 1163461 - Should not check aci syntax when deleting an aci
• BZ - 1166252 - RHEL7.1 ns-slapd segfault when ipa-replica-install restarts dirsrv
• BZ - 1166260 - cookie_change_info returns random negative number if there was no change in a tree
• BZ - 1167858 - CVE-2014-8105 389-ds-base: information disclosure through 'cn=changelog' subtree
• BZ - 1170707 - cos_cache_build_definition_list does not stop during server shutdown
• BZ - 1170708 - COS memory leak when rebuilding the cache
• BZ - 1170709 - Account lockout attributes incorrectly updated after failed SASL Bind
• BZ - 1171355 - start dirsrv after chrony
• BZ - 1171356 - Bind DN tracking unable to write to internalModifiersName without special permissions
• BZ - 1172597 - Server crashes when memberOf plugin is partially configured
• BZ - 1172729 - CVE-2014-8112 389-ds-base: password hashing bypassed when "nsslapd-unhashed-pw-switch" is set to off
• BZ - 1173273 - [RFE] BDB backend - clear free page files to reduce main db and changelog db size
• BZ - 1180325 - RHEL 7.1 ipa-server-4.1.0 upgrade fails
• BZ - 1182477 - User enable/disable does not sync with ipawinsyncacctdisable set to both
• BZ - 1183655 - IPA replica missing data after master upgraded

CVEs

• CVE-2014-8105
• CVE-2014-8112

References

• http://www.redhat.com/security/updates/classification/#normal