Issued:
2018-10-30
Updated:
2018-10-30

RHSA-2018:3127 - Security Advisory

Synopsis

Moderate: 389-ds-base security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for 389-ds-base is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

The following packages have been upgraded to a later upstream version: 389-ds-base (1.3.8.4). (BZ#1560653)

Security Fix(es):

  • 389-ds-base: Mishandled search requests in servers/slapd/search.c:do_search() allows for denial of service (CVE-2018-14648)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the 389 server service will be restarted automatically.

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux Workstation 7 x86_64
  • Red Hat Enterprise Linux Desktop 7 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for Power, big endian 7 ppc64
  • Red Hat Enterprise Linux for Scientific Computing 7 x86_64
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le
  • Red Hat Enterprise Linux for ARM 64 7 aarch64
  • Red Hat Enterprise Linux for Power 9 7 ppc64le
  • Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x

Fixes

  • BZ - 1515190 - "Truncated search results" pop-up appears in user details in WebUI
  • BZ - 1525256 - Invalid SNMP MIB for 389 DS
  • BZ - 1541098 - ds-replcheck: add -W option to ask for the password from stdin instead of passing it on command line
  • BZ - 1544477 - IPA server is not responding, all authentication and admin tests failed
  • BZ - 1551063 - replica_write_ruv log a failure even when it succeeds
  • BZ - 1551065 - ds-replcheck LDIF comparision fails when checking for conflicts
  • BZ - 1551071 - memberof fails if group is moved into scope
  • BZ - 1552698 - replicated operations should be serialized.
  • BZ - 1556803 - ds-replcheck command returns traceback errors against empty ldif files when run in offline mode
  • BZ - 1556863 - ds-replcheck command for "LDAP with StartTLS" using -Z option should be more robust
  • BZ - 1559945 - adjustment of csn_generator can fail so next generated csn can be equal to the most recent one received
  • BZ - 1560653 - Rebase 389-ds-base in RHEL 7.6 to 1.3.8
  • BZ - 1566444 - crash in connection table / nunc-stans ?
  • BZ - 1567042 - ns-slapd segfaults with ERR - connection_release_nolock_ext - conn=0 fd=0 Attempt to release connection that is not acquired
  • BZ - 1568462 - disk monitoring setting the wrong default error log level
  • BZ - 1570033 - Errors log full of " WARN - keys2idl - recieved NULL idl from index_read_ext_allids, treating as empty set" messages
  • BZ - 1570649 - pwdhash segfaults when CRYPT storage scheme is used
  • BZ - 1574602 - Replication stops working when MemberOf plugin is enabled on hub and consumer
  • BZ - 1576485 - Upgrade script doesn't enable PBKDF password storage plug-in
  • BZ - 1581737 - passthrough plugin configured to do starttls does not work.
  • BZ - 1582092 - passwordMustChange attribute is not honored by a RO consumer if "Chain on Update" is implemented on the RO consumer
  • BZ - 1582747 - DS only accepts RSA and Fortezza cipher families
  • BZ - 1593807 - Fine grained password policy can impact search performance
  • BZ - 1596467 - IPA upgrade fails for latest ipa package
  • BZ - 1597384 - Async operations can hang when the server is running nunc-stans
  • BZ - 1597518 - ds-replcheck command returns traceback errors against ldif files having garbage content when run in offline mode
  • BZ - 1598186 - A search with the scope "one" returns a non-matching entry.
  • BZ - 1598478 - If a replica is created with a bindDNGroup, this group is taken into account only after bindDNGroupCheckInterval seconds
  • BZ - 1598718 - import fails if backend name is "default"
  • BZ - 1602425 - ipa user commands when used with '--random' or '--password' option returns 'Constraint violation: Pre-Encoded passwords are not valid' error
  • BZ - 1607078 - CVE-2018-10935 389-ds-base: ldapsearch with server side sort crashes the ldap server [rhel-7.6]
  • BZ - 1614501 - Disable nunc-stans by default
  • BZ - 1614820 - 389-ds-base: Crash in vslapd_log_emergency_error [rhel-7.6]
  • BZ - 1616412 - ipa certmap-match fails to find ipa user when altSecurityIdentities in mapping rule
  • BZ - 1630668 - CVE-2018-14648 389-ds-base: Mishandled search requests in servers/slapd/search.c:do_search() allows for denial of service

Red Hat Enterprise Linux Server 7

SRPM
389-ds-base-1.3.8.4-15.el7.src.rpm SHA-256: a3d2e0411b62a09c4c5380b776d42aa21262dc3be498fd3545ce8069b53c4cd6
x86_64
389-ds-base-1.3.8.4-15.el7.x86_64.rpm SHA-256: c592e2b329cfc3ba936ed886e646209ebdf9a730ca78e867141c6531880df169
389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm SHA-256: f9eaac1d1c4f9985b1cae275a8ffbb6ec1e1c4557fb2e127d6d06d5c41444ecd
389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm SHA-256: f9eaac1d1c4f9985b1cae275a8ffbb6ec1e1c4557fb2e127d6d06d5c41444ecd
389-ds-base-devel-1.3.8.4-15.el7.x86_64.rpm SHA-256: ddeae410cb61897ff492c3ce90e33fcafc6dee2e35db5fb2675ed9fa2cef6ea5
389-ds-base-libs-1.3.8.4-15.el7.x86_64.rpm SHA-256: 7c6a119296c2fd2377da56dd7ea9016b11c936e1adaa8e95a19dd9e5ecc9d6e5
389-ds-base-snmp-1.3.8.4-15.el7.x86_64.rpm SHA-256: 57b30dabf78a660791db79bb03a1f47d1ddd016fd358a2fa89f8e2ee8a0eb015

Red Hat Enterprise Linux Workstation 7

SRPM
389-ds-base-1.3.8.4-15.el7.src.rpm SHA-256: a3d2e0411b62a09c4c5380b776d42aa21262dc3be498fd3545ce8069b53c4cd6
x86_64
389-ds-base-1.3.8.4-15.el7.x86_64.rpm SHA-256: c592e2b329cfc3ba936ed886e646209ebdf9a730ca78e867141c6531880df169
389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm SHA-256: f9eaac1d1c4f9985b1cae275a8ffbb6ec1e1c4557fb2e127d6d06d5c41444ecd
389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm SHA-256: f9eaac1d1c4f9985b1cae275a8ffbb6ec1e1c4557fb2e127d6d06d5c41444ecd
389-ds-base-devel-1.3.8.4-15.el7.x86_64.rpm SHA-256: ddeae410cb61897ff492c3ce90e33fcafc6dee2e35db5fb2675ed9fa2cef6ea5
389-ds-base-libs-1.3.8.4-15.el7.x86_64.rpm SHA-256: 7c6a119296c2fd2377da56dd7ea9016b11c936e1adaa8e95a19dd9e5ecc9d6e5
389-ds-base-snmp-1.3.8.4-15.el7.x86_64.rpm SHA-256: 57b30dabf78a660791db79bb03a1f47d1ddd016fd358a2fa89f8e2ee8a0eb015

Red Hat Enterprise Linux Desktop 7

SRPM
389-ds-base-1.3.8.4-15.el7.src.rpm SHA-256: a3d2e0411b62a09c4c5380b776d42aa21262dc3be498fd3545ce8069b53c4cd6
x86_64
389-ds-base-1.3.8.4-15.el7.x86_64.rpm SHA-256: c592e2b329cfc3ba936ed886e646209ebdf9a730ca78e867141c6531880df169
389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm SHA-256: f9eaac1d1c4f9985b1cae275a8ffbb6ec1e1c4557fb2e127d6d06d5c41444ecd
389-ds-base-devel-1.3.8.4-15.el7.x86_64.rpm SHA-256: ddeae410cb61897ff492c3ce90e33fcafc6dee2e35db5fb2675ed9fa2cef6ea5
389-ds-base-libs-1.3.8.4-15.el7.x86_64.rpm SHA-256: 7c6a119296c2fd2377da56dd7ea9016b11c936e1adaa8e95a19dd9e5ecc9d6e5
389-ds-base-snmp-1.3.8.4-15.el7.x86_64.rpm SHA-256: 57b30dabf78a660791db79bb03a1f47d1ddd016fd358a2fa89f8e2ee8a0eb015

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
389-ds-base-1.3.8.4-15.el7.src.rpm SHA-256: a3d2e0411b62a09c4c5380b776d42aa21262dc3be498fd3545ce8069b53c4cd6
s390x
389-ds-base-1.3.8.4-15.el7.s390x.rpm SHA-256: 5fe10f4d3d3ee7f625eb9e4c1a0efdf0cebc6be82f9069e68d69e49c29b3223d
389-ds-base-debuginfo-1.3.8.4-15.el7.s390x.rpm SHA-256: bcdb171177019f8ea1ba271d463fc3277794a0b2bb67664dc000593b0f912f3a
389-ds-base-devel-1.3.8.4-15.el7.s390x.rpm SHA-256: 75d25acda58526ccfc5eaa4f0f4773c334475af01ae4daee5ef98f831c8c5a41
389-ds-base-libs-1.3.8.4-15.el7.s390x.rpm SHA-256: 6e6b519135e51b4f7a345b54f06722ead0f000d6cb0ce36a2378a98d333bcdf4
389-ds-base-snmp-1.3.8.4-15.el7.s390x.rpm SHA-256: 1e45bb0341db25477fed8a08d6b66e701a26cac521ea8c746a052e58263f6787

Red Hat Enterprise Linux for Power, big endian 7

SRPM
389-ds-base-1.3.8.4-15.el7.src.rpm SHA-256: a3d2e0411b62a09c4c5380b776d42aa21262dc3be498fd3545ce8069b53c4cd6
ppc64
389-ds-base-1.3.8.4-15.el7.ppc64.rpm SHA-256: 076ed74155306c96c9ce0508b19f1a5c3e0485db1b4724507dff11eadf5bd530
389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64.rpm SHA-256: bda3e00f19001794957e7bd50617afda516d9a69f1164b1c8e0903f0f95127ed
389-ds-base-devel-1.3.8.4-15.el7.ppc64.rpm SHA-256: bc33bc65ef4500ddd3a30d6ce6a307129ac863bf4068d351eaa71f9c81e3fc89
389-ds-base-libs-1.3.8.4-15.el7.ppc64.rpm SHA-256: 3e24eec5788513b42eed5eeed9d29256890b79ae06d5d2d13f63917f5204830c
389-ds-base-snmp-1.3.8.4-15.el7.ppc64.rpm SHA-256: 2e94cdd854e56fdfc3190d40ccd0851953dec0f961e135bdf2cc9f0003363d5c

Red Hat Enterprise Linux for Scientific Computing 7

SRPM
389-ds-base-1.3.8.4-15.el7.src.rpm SHA-256: a3d2e0411b62a09c4c5380b776d42aa21262dc3be498fd3545ce8069b53c4cd6
x86_64
389-ds-base-1.3.8.4-15.el7.x86_64.rpm SHA-256: c592e2b329cfc3ba936ed886e646209ebdf9a730ca78e867141c6531880df169
389-ds-base-debuginfo-1.3.8.4-15.el7.x86_64.rpm SHA-256: f9eaac1d1c4f9985b1cae275a8ffbb6ec1e1c4557fb2e127d6d06d5c41444ecd
389-ds-base-devel-1.3.8.4-15.el7.x86_64.rpm SHA-256: ddeae410cb61897ff492c3ce90e33fcafc6dee2e35db5fb2675ed9fa2cef6ea5
389-ds-base-libs-1.3.8.4-15.el7.x86_64.rpm SHA-256: 7c6a119296c2fd2377da56dd7ea9016b11c936e1adaa8e95a19dd9e5ecc9d6e5
389-ds-base-snmp-1.3.8.4-15.el7.x86_64.rpm SHA-256: 57b30dabf78a660791db79bb03a1f47d1ddd016fd358a2fa89f8e2ee8a0eb015

Red Hat Enterprise Linux for Power, little endian 7

SRPM
389-ds-base-1.3.8.4-15.el7.src.rpm SHA-256: a3d2e0411b62a09c4c5380b776d42aa21262dc3be498fd3545ce8069b53c4cd6
ppc64le
389-ds-base-1.3.8.4-15.el7.ppc64le.rpm SHA-256: e3cd25adcec2ad3c6a418c8826b19a4c240d1e82cb4b970c1ed82484c489df4b
389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64le.rpm SHA-256: 9ed9e2ef650194d7c005721bb347f4e75c68d33c44c3578f90395b2fdf008af2
389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64le.rpm SHA-256: 9ed9e2ef650194d7c005721bb347f4e75c68d33c44c3578f90395b2fdf008af2
389-ds-base-devel-1.3.8.4-15.el7.ppc64le.rpm SHA-256: c2596a11a7f2dc860e993f83c0f5d956a87fbf5b58cb670e7bd2e631d9ae076c
389-ds-base-libs-1.3.8.4-15.el7.ppc64le.rpm SHA-256: 558d001af5b07ab280c52a678a2fa5b8683b11847da47799e460d2cb742983ad
389-ds-base-snmp-1.3.8.4-15.el7.ppc64le.rpm SHA-256: 091d510cfc2c9592c3a5bea3ae63400e06caac7012b499f2d4d3cc4b6e44601f

Red Hat Enterprise Linux for ARM 64 7

SRPM
389-ds-base-1.3.8.4-15.el7.src.rpm SHA-256: a3d2e0411b62a09c4c5380b776d42aa21262dc3be498fd3545ce8069b53c4cd6
aarch64
389-ds-base-1.3.8.4-15.el7.aarch64.rpm SHA-256: 4f173a39794e69369fe01243f954c16bab56d8a3328580a1fb918bac05d73a00
389-ds-base-debuginfo-1.3.8.4-15.el7.aarch64.rpm SHA-256: d6282d26a1d66000b628ae031a6413659c935c04af3baf31a743830c8ea19077
389-ds-base-debuginfo-1.3.8.4-15.el7.aarch64.rpm SHA-256: d6282d26a1d66000b628ae031a6413659c935c04af3baf31a743830c8ea19077
389-ds-base-devel-1.3.8.4-15.el7.aarch64.rpm SHA-256: 7d1c85bb95c9551e54cf0829c2930fa6cf1b44bf5a764f68e29fb480929f5724
389-ds-base-libs-1.3.8.4-15.el7.aarch64.rpm SHA-256: e4f9946bdc5982d57f94cdd5b541ded6e59b43a0af84a61c8858240c2d2ff719
389-ds-base-snmp-1.3.8.4-15.el7.aarch64.rpm SHA-256: c05961141163d7e5d28d94000d098422497a75366147984edd436b3afec18d63

Red Hat Enterprise Linux for Power 9 7

SRPM
389-ds-base-1.3.8.4-15.el7.src.rpm SHA-256: a3d2e0411b62a09c4c5380b776d42aa21262dc3be498fd3545ce8069b53c4cd6
ppc64le
389-ds-base-1.3.8.4-15.el7.ppc64le.rpm SHA-256: e3cd25adcec2ad3c6a418c8826b19a4c240d1e82cb4b970c1ed82484c489df4b
389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64le.rpm SHA-256: 9ed9e2ef650194d7c005721bb347f4e75c68d33c44c3578f90395b2fdf008af2
389-ds-base-debuginfo-1.3.8.4-15.el7.ppc64le.rpm SHA-256: 9ed9e2ef650194d7c005721bb347f4e75c68d33c44c3578f90395b2fdf008af2
389-ds-base-devel-1.3.8.4-15.el7.ppc64le.rpm SHA-256: c2596a11a7f2dc860e993f83c0f5d956a87fbf5b58cb670e7bd2e631d9ae076c
389-ds-base-libs-1.3.8.4-15.el7.ppc64le.rpm SHA-256: 558d001af5b07ab280c52a678a2fa5b8683b11847da47799e460d2cb742983ad
389-ds-base-snmp-1.3.8.4-15.el7.ppc64le.rpm SHA-256: 091d510cfc2c9592c3a5bea3ae63400e06caac7012b499f2d4d3cc4b6e44601f

Red Hat Enterprise Linux for IBM System z (Structure A) 7

SRPM
389-ds-base-1.3.8.4-15.el7.src.rpm SHA-256: a3d2e0411b62a09c4c5380b776d42aa21262dc3be498fd3545ce8069b53c4cd6
s390x
389-ds-base-1.3.8.4-15.el7.s390x.rpm SHA-256: 5fe10f4d3d3ee7f625eb9e4c1a0efdf0cebc6be82f9069e68d69e49c29b3223d
389-ds-base-debuginfo-1.3.8.4-15.el7.s390x.rpm SHA-256: bcdb171177019f8ea1ba271d463fc3277794a0b2bb67664dc000593b0f912f3a
389-ds-base-devel-1.3.8.4-15.el7.s390x.rpm SHA-256: 75d25acda58526ccfc5eaa4f0f4773c334475af01ae4daee5ef98f831c8c5a41
389-ds-base-libs-1.3.8.4-15.el7.s390x.rpm SHA-256: 6e6b519135e51b4f7a345b54f06722ead0f000d6cb0ce36a2378a98d333bcdf4
389-ds-base-snmp-1.3.8.4-15.el7.s390x.rpm SHA-256: 1e45bb0341db25477fed8a08d6b66e701a26cac521ea8c746a052e58263f6787

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.