- Issued:
- 2024-03-19
- Updated:
- 2024-03-19
RHSA-2024:1372 - Security Advisory
Synopsis
Moderate: redhat-ds:11 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for the redhat-ds:11 module is now available for Red Hat Directory Server 11.7 for RHEL 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol (LDAP) server, as well as command-line utilities and Web UI packages for server administration.
Security Fix(es):
- 389-ds-base: A heap overflow flaw that leads to a denial of service when writing a value larger than 256 chars in log_entry_attr. (CVE-2024-1062)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es) and Enhancement(s):
- Adequate etime and no error "Retry count exceeded" on bind, add, delete, and modify operations from revert_cache (BZ#2268136)
- RHDS LDAP server segmentation works as expected (BZ#2268138)
- Slow search when using filter with a virtual attribute (eg: nsRole ). (BZ#2265536)
- RHDS healthcheck incorrectly complains about missing backend definitions. (BZ#2265537)
- Paged search impacts performance (BZ#2265544)
- dtablesize being set to soft maxfiledescriptor limit causing massive slowdown in large environments (BZ#2265538)
- dsconf should prevent setting the replicaID for hub and consumer roles. (BZ#2265543)
- bdb_start - Detected Disorderly Shutdown directory server is not starting (BZ#2265540)
- After an upgrade the LDAP server wont start if nsslapd-conntablesize is present in the dse.ldif file (BZ#2265539)
- [RFE] Required to support both at a same time account inactivity and expiration. (BZ#2265541)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Directory Server 11.7 x86_64
- Red Hat Directory Server - Extended Update Support 11 x86_64
Fixes
- BZ - 2261879 - CVE-2024-1062 389-ds-base: a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr)
- BZ - 2265536 - Slow search when using filter with a virtual attribute (eg: nsRole ).
- BZ - 2265537 - RHDS healthcheck incorrectly complains about missing backend definitions.
- BZ - 2265538 - dtablesize being set to soft maxfiledescriptor limit causing massive slowdown in large environments
- BZ - 2265539 - After an upgrade the LDAP server won't start if nsslapd-conntablesize is present in the dse.ldif file
- BZ - 2265540 - bdb_start - Detected Disorderly Shutdown directory server is not starting
- BZ - 2265541 - [RFE] Required to support both at a same time account inactivity and expiration.
- BZ - 2265542 - ns-slapd crash in slapi_attr_basetype
- BZ - 2265543 - dsconf should prevent setting the replicaID for hub and consumer roles.
- BZ - 2265544 - Paged search impacts performance
- BZ - 2268136 - Long etime and error "Retry count exceeded' on BIND/ADD/DEL/MOD from revert_cache [11.7.z]
- BZ - 2268138 - RHDS LDAP server Segmentation fault, apparent heap corruption, crashes in OpenSSL after SSL_do_handshake [11.7.z]
CVEs
Red Hat Directory Server 11.7
SRPM | |
---|---|
389-ds-base-1.4.3.34-3.module+el8dsrv+21391+b62d2223.src.rpm | SHA-256: deab601221d995e26494313f4857c181f067c304bda470acb18a74c197cbf96f |
x86_64 | |
389-ds-base-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: 4e1e1a52f2b7cf9ec7971aad6815990d6263fc8de7f0d8c7135a7e5be2786b99 |
389-ds-base-debuginfo-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: 5e946ecb4419e889b2cd85dd12fee3bf80d5daa256d38a06ea7b5d875011ed8d |
389-ds-base-debugsource-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: d395b0406df88e486abab25de7e0dd19995d526ac17915e0856b840cad6f90c9 |
389-ds-base-devel-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: 8c378bb15b8410eb04618091eb56d4297cbc5d99b01119a8df3214e98890d7a6 |
389-ds-base-legacy-tools-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: 345744ce2e44aa49ce89b78a727202431b11d3746d53e246c2766fc458383341 |
389-ds-base-legacy-tools-debuginfo-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: b929135873eb22fc312248c96dad83f0b31adf6229108d7234abf1b0bba3acb5 |
389-ds-base-libs-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: 15037f9baaeea6d2e1249713c9b52199aa4d9ad90942d4835bc6fcafbed56a9e |
389-ds-base-libs-debuginfo-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: b3de4628f677343fac88a6c72f15153086df8d680ad9c95ca8afb88ee6b29ebe |
389-ds-base-snmp-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: c8486994d03ae212a4229d8712b0f14d64989f57d241992cc15f5cf6d2e12b1d |
389-ds-base-snmp-debuginfo-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: 0e3cf119990edd8fda66460cf85bbf163e7a36b17fa4f046f79096f254eca188 |
cockpit-389-ds-1.4.3.34-3.module+el8dsrv+21391+b62d2223.noarch.rpm | SHA-256: a45346fd1db6f73ababf320ffc42629c186127ddb35d9b51047e8bd88d4e4568 |
python3-lib389-1.4.3.34-3.module+el8dsrv+21391+b62d2223.noarch.rpm | SHA-256: 614123b45229ae74dec1efa016387fe37d8b8084c75a29086e684321130fbe9e |
Red Hat Directory Server - Extended Update Support 11
SRPM | |
---|---|
389-ds-base-1.4.3.34-3.module+el8dsrv+21391+b62d2223.src.rpm | SHA-256: deab601221d995e26494313f4857c181f067c304bda470acb18a74c197cbf96f |
x86_64 | |
389-ds-base-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: 4e1e1a52f2b7cf9ec7971aad6815990d6263fc8de7f0d8c7135a7e5be2786b99 |
389-ds-base-debuginfo-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: 5e946ecb4419e889b2cd85dd12fee3bf80d5daa256d38a06ea7b5d875011ed8d |
389-ds-base-debugsource-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: d395b0406df88e486abab25de7e0dd19995d526ac17915e0856b840cad6f90c9 |
389-ds-base-devel-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: 8c378bb15b8410eb04618091eb56d4297cbc5d99b01119a8df3214e98890d7a6 |
389-ds-base-legacy-tools-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: 345744ce2e44aa49ce89b78a727202431b11d3746d53e246c2766fc458383341 |
389-ds-base-legacy-tools-debuginfo-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: b929135873eb22fc312248c96dad83f0b31adf6229108d7234abf1b0bba3acb5 |
389-ds-base-libs-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: 15037f9baaeea6d2e1249713c9b52199aa4d9ad90942d4835bc6fcafbed56a9e |
389-ds-base-libs-debuginfo-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: b3de4628f677343fac88a6c72f15153086df8d680ad9c95ca8afb88ee6b29ebe |
389-ds-base-snmp-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: c8486994d03ae212a4229d8712b0f14d64989f57d241992cc15f5cf6d2e12b1d |
389-ds-base-snmp-debuginfo-1.4.3.34-3.module+el8dsrv+21391+b62d2223.x86_64.rpm | SHA-256: 0e3cf119990edd8fda66460cf85bbf163e7a36b17fa4f046f79096f254eca188 |
cockpit-389-ds-1.4.3.34-3.module+el8dsrv+21391+b62d2223.noarch.rpm | SHA-256: a45346fd1db6f73ababf320ffc42629c186127ddb35d9b51047e8bd88d4e4568 |
python3-lib389-1.4.3.34-3.module+el8dsrv+21391+b62d2223.noarch.rpm | SHA-256: 614123b45229ae74dec1efa016387fe37d8b8084c75a29086e684321130fbe9e |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.