RHSA-2024:1372 - Security Advisory

Topic

An update for the redhat-ds:11 module is now available for Red Hat Directory Server 11.7 for RHEL 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol (LDAP) server, as well as command-line utilities and Web UI packages for server administration.

Security Fix(es):

• 389-ds-base: A heap overflow flaw that leads to a denial of service when writing a value larger than 256 chars in log_entry_attr. (CVE-2024-1062)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) and Enhancement(s):

• Adequate etime and no error "Retry count exceeded" on bind, add, delete, and modify operations from revert_cache (BZ#2268136)
• RHDS LDAP server segmentation works as expected (BZ#2268138)
• Slow search when using filter with a virtual attribute (eg: nsRole ). (BZ#2265536)
• RHDS healthcheck incorrectly complains about missing backend definitions. (BZ#2265537)
• Paged search impacts performance (BZ#2265544)
• dtablesize being set to soft maxfiledescriptor limit causing massive slowdown in large environments (BZ#2265538)
• dsconf should prevent setting the replicaID for hub and consumer roles. (BZ#2265543)
• bdb_start - Detected Disorderly Shutdown directory server is not starting (BZ#2265540)
• After an upgrade the LDAP server wont start if nsslapd-conntablesize is present in the dse.ldif file (BZ#2265539)
• [RFE] Required to support both at a same time account inactivity and expiration. (BZ#2265541)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Directory Server 11.7 x86_64
• Red Hat Directory Server - Extended Update Support 11 x86_64

Fixes

• BZ - 2261879 - CVE-2024-1062 389-ds-base: a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr)
• BZ - 2265536 - Slow search when using filter with a virtual attribute (eg: nsRole ).
• BZ - 2265537 - RHDS healthcheck incorrectly complains about missing backend definitions.
• BZ - 2265538 - dtablesize being set to soft maxfiledescriptor limit causing massive slowdown in large environments
• BZ - 2265539 - After an upgrade the LDAP server won't start if nsslapd-conntablesize is present in the dse.ldif file
• BZ - 2265540 - bdb_start - Detected Disorderly Shutdown directory server is not starting
• BZ - 2265541 - [RFE] Required to support both at a same time account inactivity and expiration.
• BZ - 2265542 - ns-slapd crash in slapi_attr_basetype
• BZ - 2265543 - dsconf should prevent setting the replicaID for hub and consumer roles.
• BZ - 2265544 - Paged search impacts performance
• BZ - 2268136 - Long etime and error "Retry count exceeded' on BIND/ADD/DEL/MOD from revert_cache [11.7.z]
• BZ - 2268138 - RHDS LDAP server Segmentation fault, apparent heap corruption, crashes in OpenSSL after SSL_do_handshake [11.7.z]

CVEs

• CVE-2024-1062

References

• https://access.redhat.com/security/updates/classification/#moderate