Debian Bug report logs -
#903501
389-ds-base: CVE-2018-10850
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>:
Bug#903501; Package src:389-ds-base.
(Tue, 10 Jul 2018 19:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>.
(Tue, 10 Jul 2018 19:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: 389-ds-base
Version: 1.3.8.2-1
Severity: important
Tags: security upstream
Forwarded: https://pagure.io/389-ds-base/issue/49768
Hi,
The following vulnerability was published for 389-ds-base.
CVE-2018-10850[0]:
| 389-ds-base before versions 1.4.0.10, 1.3.8.3 is vulnerable to a race
| condition in the way 389-ds-base handles persistent search, resulting
| in a crash if the server is under load. An anonymous attacker could
| use this flaw to trigger a denial of service.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10850
[1] https://pagure.io/389-ds-base/issue/49768
[2] https://pagure.io/389-ds-base/c/8f04487f99a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Timo Aaltonen <tjaalton@debian.org>:
You have taken responsibility.
(Wed, 01 Aug 2018 08:15:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 01 Aug 2018 08:15:20 GMT) (full text, mbox, link).
Message #10 received at 903501-close@bugs.debian.org (full text, mbox, reply):
Source: 389-ds-base
Source-Version: 1.4.0.13-1
We believe that the bug you reported is fixed in the latest version of
389-ds-base, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 903501@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated 389-ds-base package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 31 Jul 2018 23:46:17 +0300
Source: 389-ds-base
Binary: 389-ds 389-ds-base-libs 389-ds-base-dev 389-ds-base python3-lib389 python3-dirsrvtests cockpit-389-ds
Architecture: source amd64 all
Version: 1.4.0.13-1
Distribution: experimental
Urgency: medium
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Description:
389-ds - 389 Directory Server suite - metapackage
389-ds-base - 389 Directory Server suite - server
389-ds-base-dev - 389 Directory Server suite - development files
389-ds-base-libs - 389 Directory Server suite - libraries
cockpit-389-ds - Cockpit user interface for 389 Directory Server
python3-dirsrvtests - Python3 module for 389 Directory Server Continuous Integration te
python3-lib389 - Python3 module for accessing and configuring the 389 Directory Se
Closes: 903501 904760
Changes:
389-ds-base (1.4.0.13-1) experimental; urgency=medium
.
* New upstream release.
- CVE-2018-10850 (Closes: #903501)
* control: Update maintainer address.
* control: Upstream dropped support for non-64bit architectures, so
build only on supported 64bit archs (amd64, arm64, mips64el,
ppc64el, s390x).
* control: svrcore got merged here, drop it from build-depends.
* ftbs_lsoftotkn3.diff: Dropped, obsolete.
* control: Add rsync to build-depends.
* libs, dev, control: Add libsvrcore files, replace old package.
* base: Add new scripts, add python3-selinux, -semanage, -sepolicy to
depends.
* Add a package for cockpit-389-ds.
* rules: Clean up cruft left after build.
* control: Drop dh_systemd from build-depends, bump debhelper to 11.
* Add varions libjs packages to cockpit-389-ds Depends, add the rest
to d/missing-sources.
* copyright: Updated. (Closes: #904760)
* control: Modify 389-ds to depend on cockpit-389-ds and drop the old
GUI packages which are deprecated upstream.
* dont-build-new-manpages.diff: Debian doesn't have argparse-manpage,
so in order to not FTBFS don't build new manpages.
* base.install: Add man5/*.
Checksums-Sha1:
8cde97f5d62b6a875cf861e6fede418e2a137349 2787 389-ds-base_1.4.0.13-1.dsc
04b69c9555aaca570c2c6d6374fb9c5155f4ce04 5770893 389-ds-base_1.4.0.13.orig.tar.bz2
317640019e50a87168d90546d99b8f867e474e3b 443500 389-ds-base_1.4.0.13-1.debian.tar.xz
fc50d05e919172ceed3d0c0cc24cf3ec600941ef 95896 389-ds-base-dev_1.4.0.13-1_amd64.deb
d0f8223c750b8b139a2848fdf58629042be1cae2 536360 389-ds-base-libs_1.4.0.13-1_amd64.deb
43688f26cfe8d161d1b875878acfeaa7a6967a82 10662 389-ds-base_1.4.0.13-1_amd64.buildinfo
4e038b5e449af552faeab1bcbf863ff67ec89ffd 1500220 389-ds-base_1.4.0.13-1_amd64.deb
b241dff42b1fe7a4fc1550a9818ca7e12a89c4d5 18720 389-ds_1.4.0.13-1_all.deb
2ea7a4bdf146e305ac54628a06b65e057ae88ced 1414060 cockpit-389-ds_1.4.0.13-1_amd64.deb
f6ae2402659386beb1b4105012531ba3f7dfbedd 221416 python3-dirsrvtests_1.4.0.13-1_all.deb
c568c1107b4e030d89920e441f5517dd5e93d650 210540 python3-lib389_1.4.0.13-1_all.deb
Checksums-Sha256:
b79c2765a8053cc36e3cf2507b09e30161e3cae3b240fe9331a76029a9269ccd 2787 389-ds-base_1.4.0.13-1.dsc
f2530f52fbb467e839612fcbe5bbcc33f5e538fa7249c66f8a55153ef01fb505 5770893 389-ds-base_1.4.0.13.orig.tar.bz2
0b4719b2366fe8e258389c3d77d3c625f26c640b2d341e01dce6ecf0cc9994f6 443500 389-ds-base_1.4.0.13-1.debian.tar.xz
0d03227fe5169d9b3edf3dac8f570fee3b90df9fd1cb1e9c273bd35259fda199 95896 389-ds-base-dev_1.4.0.13-1_amd64.deb
e629568f44923299050b85f4945b4a8e54f90bea92812f5cbba3a6ed8aef458a 536360 389-ds-base-libs_1.4.0.13-1_amd64.deb
cb678dbd67e5baf0eedbbdc69870fb9a080d98d8fb8b719420eed534ff9c109c 10662 389-ds-base_1.4.0.13-1_amd64.buildinfo
d2fce0b0e6bc1bfee12953265e85266a1aef19b3de1571efb252db3223ace647 1500220 389-ds-base_1.4.0.13-1_amd64.deb
6645dda223f80341971c631360beeac2e540ba8ac41c8cdcb06670278a3d026b 18720 389-ds_1.4.0.13-1_all.deb
886b7caddd5d1dfb0dbb86f76b50ae0bb6f0b78ea7cbe5f30fb3e782a35e88fd 1414060 cockpit-389-ds_1.4.0.13-1_amd64.deb
5fee900a1fd6a870cf484c987b9dc09c4515aaf0d2c1b5801b3a92b7e30a0509 221416 python3-dirsrvtests_1.4.0.13-1_all.deb
e33b662405b08743f15654c9bc111ad70e7716ac587045fd8b22b71fef0a62aa 210540 python3-lib389_1.4.0.13-1_all.deb
Files:
5c8fbc1ce8f5eb157bae121cc4de6094 2787 net optional 389-ds-base_1.4.0.13-1.dsc
4fd4c2f2def015d23ee53a6bd66fce86 5770893 net optional 389-ds-base_1.4.0.13.orig.tar.bz2
aa56547a2a7724de529860237dfce991 443500 net optional 389-ds-base_1.4.0.13-1.debian.tar.xz
a62bc3ea5a5ed0973fab951de324426d 95896 libdevel optional 389-ds-base-dev_1.4.0.13-1_amd64.deb
b4d04d018064b7b01c6a122ad45943a2 536360 libs optional 389-ds-base-libs_1.4.0.13-1_amd64.deb
36b37b6de15f0dece455e31f44c9cd71 10662 net optional 389-ds-base_1.4.0.13-1_amd64.buildinfo
b208750ec630feaa404fb5b00449d063 1500220 net optional 389-ds-base_1.4.0.13-1_amd64.deb
f64ba8ad50b81f90c231a567f3f8d150 18720 net optional 389-ds_1.4.0.13-1_all.deb
9147b30752ae4700c0b85b2c9e8e2d1d 1414060 net optional cockpit-389-ds_1.4.0.13-1_amd64.deb
6440b1e9640b66b1078b7f9a59c279a3 221416 net optional python3-dirsrvtests_1.4.0.13-1_all.deb
044e5628b96ea08e62e16cee5de47f40 210540 net optional python3-lib389_1.4.0.13-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAltgy3YACgkQy3AxZaiJ
hNw7nQ/+MTygwYmToxSbu0N5BVZznDUdu6uTpOMo41k2cXzt1FjzuMJzXeTbaRtW
f0XrWhJUq6dwIoe2Js3FQ2NWPupMPUnxzUlxmdQE3tdzNWwUyOjxzHtd7MGa8iia
HyVHBrGw+QD1Izc1B72G9CUNPPwZWIjGMumHRr3zAtmMB/iEkAFaHmcEqxEKmdsg
fWSG/hqlQ9ny8lvGomvlI0MVoI4O3Y7i55xy83v9I52rbVAYd/jHgQ/C37vp7oYF
BuV3ET+oHpDNWP5UFonXJeLahKntsFANQ7xq5QGzPCAkqWr9YVOl+YwNmSDXHYw4
/HagnEqIHaS612jlCouK6ZcKDkfYJ+zEmAn7GliLo4Pb/+ue8K7szW3xSVbRvUiy
D604Wl+UbGLrFhh+jhadbab8XdJxznIOVeNYo8nrmZbFGXEu2Kxs0rBkKKzAn/0D
qAokoVG6sqlj+6E126Gd7Mr/RVV2wID4XVubbbBn2K+EnT2zubqWP37k0cx8WFkT
x2L5GlbOLplaDNafffEr3LqmGO3AQjo8R8FLhmBC352DuWpeslewjsIRs2NbNZHl
qMWdfwCBJgZBQwD7KT2wQ3gtqnZJitvfd/tQIplAcNuFWUL4mV2Vb9AmcpFWjSAe
X2UkcLDLMuWK5SL+2b0MCuipCcdOOC6kX06rvzEa9Jnq0oRvwd8=
=nkEd
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 30 Aug 2018 07:24:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:34:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon