ELSA-2015-0416

ELSA-2015-0416 - 389-ds-base security, bug fix, and enhancement update

Type:SECURITY
Severity:IMPORTANT
Release Date:2015-03-09

Description


[1.3.3.1-13]
- release 1.3.3.1-13
- Resolves: bug 1183655 - Fixed Covscan FORWARD_NULL defects (DS 47988)

[1.3.3.1-12]
- release 1.3.3.1-12
- Resolves: bug 1182477 - Windows Sync accidentally cleared raw_entry (DS 47989)
- Resolves: bug 1180325 - upgrade script fails if /etc and /var are on different file systems (DS 47991 )
- Resolves: bug 1183655 - Schema learning mechanism, in replication, unable to extend an existing definition (DS 47988)

[1.3.3.1-11]
- release 1.3.3.1-11
- Resolves: bug 1080186 - During delete operation do not refresh cache entry if it is a tombstone (DS 47750)

[1.3.3.1-10]
- release 1.3.3.1-10
- Resolves: bug 1172731 - CVE-2014-8112 password hashing bypassed when 'nsslapd-unhashed-pw-switch' is set to off
- Resolves: bug 1166265 - DS hangs during online total update (DS 47942)
- Resolves: bug 1168151 - CVE-2014-8105 information disclosure through 'cn=changelog' subtree
- Resolves: bug 1044170 - Allow memberOf suffixes to be configurable (DS 47526)
- Resolves: bug 1171356 - Bind DN tracking unable to write to internalModifiersName without special permissions (DS 47950)
- Resolves: bug 1153737 - logconv.pl -- support parsing/showing/reporting different protocol versions (DS 47949)
- Resolves: bug 1171355 - start dirsrv after chrony on RHEL7 and Fedora (DS 47947)
- Resolves: bug 1170707 - cos_cache_build_definition_list does not stop during server shutdown (DS 47967)
- Resolves: bug 1170708 - COS memory leak when rebuilding the cache (DS - Ticket 47969)
- Resolves: bug 1170709 - Account lockout attributes incorrectly updated after failed SASL Bind (DS 47970)
- Resolves: bug 1166260 - cookie_change_info returns random negative number if there was no change in a tree (DS 47960)
- Resolves: bug 1012991 - Error log levels not displayed correctly (DS 47636)
- Resolves: bug 1108881 - rsearch filter error on any search filter (DS 47722)
- Resolves: bug 994690 - Allow dynamically adding/enabling/disabling/removing plugins without requiring a server restart (DS 47451)
- Resolves: bug 1162997 - Running a plugin task can crash the server (DS 47451)
- Resolves: bug 1166252 - RHEL7.1 ns-slapd segfault when ipa-replica-install restarts (DS 47451)
- Resolves: bug 1172597 - Crash if setting invalid plugin config area for MemberOf Plugin (DS 47525)
- Resolves: bug 1139882 - coverity defects found in 1.3.3.x (DS 47965)

[1.3.3.1-9]
- release 1.3.3.1-9
- Resolves: bug 1153737 - Disable SSL v3, by default. (DS 47928)
- Resolves: bug 1163461 - Should not check aci syntax when deleting an aci (DS 47953)

[1.3.3.1-8]
- release 1.3.3.1-8
- Resolves: bug 1156607 - Crash in entry_add_present_values_wsi_multi_valued (DS 47937)
- Resolves: bug 1153737 - Disable SSL v3, by default (DS 47928, DS 47945, DS 47948)
- Resolves: bug 1158804 - Malformed cookie for LDAP Sync makes DS crash (DS 47939)

[1.3.3.1-7]
- release 1.3.3.1-7
- Resolves: bug 1153737 - Disable SSL v3, by default (DS 47928)

[1.3.3.1-6]
- release 1.3.3.1-6
- Resolves: bug 1151287 - dynamically added macro aci is not evaluated on the fly (DS 47922)
- Resolves: bug 1080186 - Need to move slapi_pblock_set(pb, SLAPI_MODRDN_EXISTING_ENTRY, original_entry->ep_entry) prior to original_entry overwritten (DS 47897)
- Resolves: bug 1150694 - Encoding of SearchResultEntry is missing tag (DS 47920)
- Resolves: bug 1150695 - ldbm_back_modify SLAPI_PLUGIN_BE_PRE_MODIFY_FN does not return even if one of the preop plugins fails. (DS 47919)
- Resolves: bug 1139882 - Fix remaining compiler warnings (DS 47892)
- Resolves: bug 1150206 - result of dna_dn_is_shared_config is incorrectly used (DS 47918)

[1.3.3.1-5]
- release 1.3.3.1-5
- Resolves: bug 1139882 - coverity defects found in 1.3.3.x (DS 47892)

[1.3.3.1-4]
- release 1.3.3.1-4
- Resolves: bug 1080186 - Creating a glue fails if one above level is a conflict or missing (DS 47750)
- Resolves: bug 1145846 - 389-ds 1.3.3.0 does not adjust cipher suite configuration on upgrade, breaks itself and pki-server (DS 47908)
- Resolves: bug 1117979 - harden the list of ciphers available by default (phase 2) (DS 47838)
- provide enabled ciphers as search result (DS 47880)

[1.3.3.1-3]
- release 1.3.3.1-3
- Resolves: bug 1139882 - coverity defects found in 1.3.3.1

[1.3.3.1-2]
- release 1.3.3.1-2
- Resolves: bug 1079099 - Simultaneous adding a user and binding as the user could fail in the password policy check (DS 47748)
- Resolves: bug 1080186 - Creating a glue fails if one above level is a conflict or missing (DS 47834)
- Resolves: bug 1139882 - coverity defects found in 1.3.3.1 (DS 47890)
- Resolves: bug 1112702 - Broken dereference control with the FreeIPA 4.0 ACIs (DS 47885 - deref plugin should not return references with noc access rights)
- Resolves: bug 1117979 - harden the list of ciphers available by default (DS 47838, DS 47895)
- Resolves: bug 1080186 - Creating a glue fails if one above level is a conflict or missing (DS 47889 - DS crashed during ipa-server-install on test_ava_filter)

[1.3.3.1-1]
- release 1.3.3.1-1
- Resolves: bug 746646 - RFE: easy way to configure which users and groups to sync with winsync
- Resolves: bug 881372 - nsDS5BeginReplicaRefresh attribute accepts any value and it doesn't throw any error when server restarts.
- Resolves: bug 920597 - Possible to add invalid ACI value
- Resolves: bug 921162 - Possible to add nonexistent target to ACI
- Resolves: bug 923799 - if nsslapd-cachememsize set to the number larger than the RAM available, should result in proper error message.
- Resolves: bug 924937 - Attribute 'dsOnlyMemberUid' not allowed when syncing nested posix groups from AD with posixWinsync
- Resolves: bug 951754 - Self entry access ACI not working properly
- Resolves: bug 952517 - Dirsrv instance failed to start with Segmentation fault (core dump) after modifying 7-bit check plugin
- Resolves: bug 952682 - nsslapd-db-transaction-batch-val turns to -1
- Resolves: bug 966443 - Plugin library path validation
- Resolves: bug 975176 - Non-directory manager can change the individual userPassword's storage scheme
- Resolves: bug 979465 - IPA replica's - 'SASL encrypted packet length exceeds maximum allowed limit'
- Resolves: bug 982597 - Some attributes in cn=config should not be multivalued
- Resolves: bug 987009 - 389-ds-base - shebang with /usr/bin/env
- Resolves: bug 994690 - RFE: Allow dynamically adding/enabling/disabling/removing plugins without requiring a server restart
- Resolves: bug 1012991 - errorlog-level 16384 is listed as 0 in cn=config
- Resolves: bug 1013736 - Enabling/Disabling DNA plug-in throws 'ldap_modify: Server Unwilling to Perform (53)' error
- Resolves: bug 1014380 - setup-ds.pl doesn't lookup the 'root' group correctly
- Resolves: bug 1020459 - rsa_null_sha should not be enabled by default
- Resolves: bug 1024541 - start dirsrv after ntpd
- Resolves: bug 1029959 - Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry
- Resolves: bug 1031216 - add dbmon.sh
- Resolves: bug 1044133 - Indexed search with filter containing '&' and '!' with attribute subtypes gives wrong result
- Resolves: bug 1044134 - should set LDAP_OPT_X_SASL_NOCANON to LDAP_OPT_ON by default
- Resolves: bug 1044135 - make connection buffer size adjustable
- Resolves: bug 1044137 - posix winsync should support ADD user/group entries from DS to AD
- Resolves: bug 1044138 - mep_pre_op: Unable to fetch origin entry
- Resolves: bug 1044139 - [RFE] Support RFC 4527 Read Entry Controls
- Resolves: bug 1044140 - Allow search to look up 'in memory RUV'
- Resolves: bug 1044141 - MMR stress test with dna enabled causes a deadlock
- Resolves: bug 1044142 - winsync doesn't sync DN valued attributes if DS DN value doesn't exist
- Resolves: bug 1044143 - modrdn + NSMMReplicationPlugin - Consumer failed to replay change
- Resolves: bug 1044144 - resurrected entry is not correctly indexed
- Resolves: bug 1044146 - Add a warning message when a connection hits the max number of threads
- Resolves: bug 1044147 - 7-bit check plugin does not work for userpassword attribute
- Resolves: bug 1044148 - The backend name provided to bak2db is not validated
- Resolves: bug 1044149 - Winsync should support range retrieval
- Resolves: bug 1044150 - 7-bit checking is not necessary for userPassword
- Resolves: bug 1044151 - With SeLinux, ports can be labelled per range. setup-ds.pl or setup-ds-admin.pl fail to detect already ranged labelled ports
- Resolves: bug 1044152 - ChainOnUpdate: 'cn=directory manager' can modify userRoot on consumer without changes being chained or replicated. Directory integrity compromised.
- Resolves: bug 1044153 - mods optimizer
- Resolves: bug 1044154 - multi master replication allows schema violation
- Resolves: bug 1044156 - DS crashes with some 7-bit check plugin configurations
- Resolves: bug 1044157 - Some updates of 'passwordgraceusertime' are useless when updating 'userpassword'
- Resolves: bug 1044159 - [RFE] Support 'Content Synchronization Operation' (SyncRepl) - RFC 4533
- Resolves: bug 1044160 - remove-ds.pl should remove /var/lock/dirsrv
- Resolves: bug 1044162 - enhance retro changelog
- Resolves: bug 1044163 - updates to ruv entry are written to retro changelog
- Resolves: bug 1044164 - Password administrators should be able to violate password policy
- Resolves: bug 1044168 - Schema replication between DS versions may overwrite newer base schema
- Resolves: bug 1044169 - ACIs do not allow attribute subtypes in targetattr keyword
- Resolves: bug 1044170 - Allow memberOf suffixes to be configurable
- Resolves: bug 1044171 - Allow referential integrity suffixes to be configurable
- Resolves: bug 1044172 - Plugin library path validation prevents intentional loading of out-of-tree modules
- Resolves: bug 1044173 - make referential integrity configuration more flexible
- Resolves: bug 1044177 - allow configuring changelog trim interval
- Resolves: bug 1044179 - objectclass may, must lists skip rest of objectclass once first is found in sup
- Resolves: bug 1044180 - memberOf on a user is converted to lowercase
- Resolves: bug 1044181 - report unindexed internal searches
- Resolves: bug 1044183 - With 1.3.04 and subtree-renaming OFF, when a user is deleted after restarting the server, the same entry can't be added
- Resolves: bug 1044185 - dbscan on entryrdn should show all matching values
- Resolves: bug 1044187 - logconv.pl - RFE - add on option for a minimum etime for unindexed search stats
- Resolves: bug 1044188 - Recognize compressed log files
- Resolves: bug 1044191 - support TLSv1.1 and TLSv1.2, if supported by NSS
- Resolves: bug 1044193 - default nsslapd-sasl-max-buffer-size should be 2MB
- Resolves: bug 1044194 - Complex filter in a search request doen't work as expected.
- Resolves: bug 1044196 - Automember plug-in should treat MODRDN operations as ADD operations
- Resolves: bug 1044198 - Replication of the schema may overwrite consumer 'attributetypes' even if consumer definition is a superset
- Resolves: bug 1044202 - db2bak.pl issue when specifying non-default directory
- Resolves: bug 1044203 - Allow referint plugin to use an alternate config area
- Resolves: bug 1044205 - Allow memberOf to use an alternate config area
- Resolves: bug 1044210 - idl switch does not work
- Resolves: bug 1044211 - make old-idl tunable
- Resolves: bug 1044212 - IDL-style can become mismatched during partial restoration
- Resolves: bug 1044213 - backend performance - introduce optimization levels
- Resolves: bug 1044215 - using transaction batchval violates durability
- Resolves: bug 1044216 - examine replication code to reduce amount of stored state information
- Resolves: bug 1048980 - 7-bit check plugin not checking MODRDN operation
- Resolves: bug 1049030 - Windows Sync group issues
- Resolves: bug 1052751 - Page control does not work if effective rights control is specified
- Resolves: bug 1052754 - Allow nsDS5ReplicaBindDN to be a group DN
- Resolves: bug 1057803 - logconv errors when search has invalid bind dn
- Resolves: bug 1060032 - [RFE] Update lastLoginTime also in Account Policy plugin if account lockout is based on passwordExpirationTime.
- Resolves: bug 1061060 - betxn: retro changelog broken after cancelled transaction
- Resolves: bug 1061572 - improve dbgen rdn generation, output and man page.
- Resolves: bug 1063990 - single valued attribute replicated ADD does not work
- Resolves: bug 1064006 - Size returned by slapi_entry_size is not accurate
- Resolves: bug 1064986 - Replication retry time attributes cannot be added
- Resolves: bug 1067090 - Missing warning for invalid replica backoff configuration
- Resolves: bug 1072032 - Updating nsds5ReplicaHost attribute in a replication agreement fails with error 53
- Resolves: bug 1074306 - Under heavy stress, failure of turning a tombstone into glue makes the server hung
- Resolves: bug 1074447 - Part of DNA shared configuration is deleted after server restart
- Resolves: bug 1076729 - Continuous add/delete of an entry in MMR setup causes entryrdn-index conflict
- Resolves: bug 1077884 - ldap/servers/slapd/back-ldbm/dblayer.c: possible minor problem with sscanf
- Resolves: bug 1077897 - Memory leak with proxy auth control
- Resolves: bug 1079099 - Simultaneous adding a user and binding as the user could fail in the password policy check
- Resolves: bug 1080186 - Creating a glue fails if one above level is a conflict or missing
- Resolves: bug 1082967 - attribute uniqueness plugin fails when set as a chaining component
- Resolves: bug 1085011 - Directory Server crash reported from reliab15 execution
- Resolves: bug 1086890 - empty modify returns LDAP_INVALID_DN_SYNTAX
- Resolves: bug 1086902 - mem leak in do_bind when there is an error
- Resolves: bug 1086904 - mem leak in do_search - rawbase not freed upon certain errors
- Resolves: bug 1086908 - Performing deletes during tombstone purging results in operation errors
- Resolves: bug 1090178 - #481 breaks possibility to reassemble memberuid list
- Resolves: bug 1092099 - A replicated MOD fails (Unwilling to perform) if it targets a tombstone
- Resolves: bug 1092342 - nsslapd-ndn-cache-max-size accepts any invalid value.
- Resolves: bug 1092648 - Negative value of nsSaslMapPriority is not reset to lowest priority
- Resolves: bug 1097004 - Problem with deletion while replicated
- Resolves: bug 1098654 - db2bak.pl error with changelogdb
- Resolves: bug 1099654 - Normalization from old DN format to New DN format doesnt handel condition properly when there is space in a suffix after the seperator operator.
- Resolves: bug 1108405 - find a way to remove replication plugin errors messages 'changelog iteration code returned a dummy entry with csn %s, skipping ...'
- Resolves: bug 1108407 - managed entry plugin fails to update managed entry pointer on modrdn operation
- Resolves: bug 1108865 - memory leak in ldapsearch filter objectclass=*
- Resolves: bug 1108870 - ACI warnings in error log
- Resolves: bug 1108872 - Logconv.pl with an empty access log gives lots of errors
- Resolves: bug 1108874 - logconv.pl memory continually grows
- Resolves: bug 1108881 - rsearch filter error on any search filter
- Resolves: bug 1108895 - [RFE - RHDS9] CLI report to monitor replication
- Resolves: bug 1108902 - rhds91 389-ds-base-1.2.11.15-31.el6_5.x86_64 crash in db4 __dbc_get_pp env = 0x0 ?
- Resolves: bug 1108909 - single valued attribute replicated ADD does not work
- Resolves: bug 1109334 - 389 Server crashes if uniqueMember is invalid syntax and memberOf plugin is enabled.
- Resolves: bug 1109336 - Parent numsubordinate count can be incorrectly updated if an error occurs
- Resolves: bug 1109339 - Nested tombstones become orphaned after purge
- Resolves: bug 1109354 - Tombstone purging can crash the server if the backend is stopped/disabled
- Resolves: bug 1109357 - Coverity issue in 1.3.3
- Resolves: bug 1109364 - valgrind - value mem leaks, uninit mem usage
- Resolves: bug 1109375 - provide default syntax plugin
- Resolves: bug 1109378 - Environment variables are not passed when DS is started via service
- Resolves: bug 1111364 - Updating winsync one-way sync does not affect the behaviour dynamically
- Resolves: bug 1112824 - Broken dereference control with the FreeIPA 4.0 ACIs
- Resolves: bug 1113605 - server restart wipes out index config if there is a default index
- Resolves: bug 1115177 - attrcrypt_generate_key calls slapd_pk11_TokenKeyGenWithFlags with improper macro
- Resolves: bug 1117021 - Server deadlock if online import started while server is under load
- Resolves: bug 1117975 - paged results control is not working in some cases when we have a subsuffix.
- Resolves: bug 1117979 - harden the list of ciphers available by default
- Resolves: bug 1117981 - Fix various typos in manpages & code
- Resolves: bug 1117982 - Fix hyphens used as minus signed and other manpage mistakes
- Resolves: bug 1118002 - server crashes deleting a replication agreement
- Resolves: bug 1118006 - RFE - forcing passwordmustchange attribute by non-cn=directory manager
- Resolves: bug 1118007 - [RFE] Make it possible for privileges to be provided to an admin user to import an LDIF file containing hashed passwords
- Resolves: bug 1118014 - Enhance ACIs to have more control over MODRDN operations
- Resolves: bug 1118021 - Return all attributes in rootdse without explicit request
- Resolves: bug 1118025 - Slow ldapmodify operation time for large quantities of multi-valued attribute values
- Resolves: bug 1118032 - Schema Replication Issue
- Resolves: bug 1118034 - 389 DS Server crashes and dies while handles paged searches from clients
- Resolves: bug 1118043 - Failed deletion of aci: no such attribute
- Resolves: bug 1118048 - If be_txn plugin fails in ldbm_back_add, adding entry is double freed.
- Resolves: bug 1118051 - Add switch to disable pre-hashed password checking
- Resolves: bug 1118054 - Make ldbm_back_seq independently support transactions
- Resolves: bug 1118055 - Add operations rejected by betxn plugins remain in cache
- Resolves: bug 1118057 - online import crashes server if using verbose error logging
- Resolves: bug 1118059 - add fixup-memberuid.pl script
- Resolves: bug 1118060 - winsync plugin modify is broken
- Resolves: bug 1118066 - memberof scope: allow to exclude subtrees
- Resolves: bug 1118069 - 389-ds production segfault: __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:144
- Resolves: bug 1118074_DELETE_FN - plugin returned error' messages
- Resolves: bug 1118076 - ds logs many 'Operation error fetching Null DN' messages
- Resolves: bug 1118077 - Improve import logging and abort handling
- Resolves: bug 1118079 - Multi master replication initialization incomplete after restore of one master
- Resolves: bug 1118080 - Don't add unhashed password mod if we don't have an unhashed value
- Resolves: bug 1118081 - Investigate betxn plugins to ensure they return the correct error code
- Resolves: bug 1118082 - The error result text message should be obtained just prior to sending result
- Resolves: bug 1123865 - CVE-2014-3562 389-ds-base: 389-ds: unauthenticated information disclosure [rhel-7.1]


Related CVEs


CVE-2014-8105
CVE-2014-8112

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 7 (x86_64) 389-ds-base-1.3.3.1-13.el7.src.rpmd90ce548330f6f824dc9263f6143adf9ELBA-2021-0868
389-ds-base-1.3.3.1-13.el7.x86_64.rpm17ea13223f6384bc8b1affa6829f0e8bELBA-2021-0868
389-ds-base-devel-1.3.3.1-13.el7.x86_64.rpm12c2abeee94f19f00b614179a99ec1e1ELBA-2021-0868
389-ds-base-libs-1.3.3.1-13.el7.x86_64.rpmbaed30df6ed6ec609f014a9c78c369fbELBA-2021-0868



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete