Debian Bug report logs -
#906985
389-ds-base: CVE-2018-10935: ldapsearch with server side sort allows users to cause a crash
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
:
Bug#906985
; Package src:389-ds-base
.
(Wed, 22 Aug 2018 20:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
.
(Wed, 22 Aug 2018 20:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: 389-ds-base
Version: 1.3.8.2-1
Severity: important
Tags: security upstream
Forwarded: https://pagure.io/389-ds-base/issue/49890
Hi,
The following vulnerability was published for 389-ds-base.
CVE-2018-10935[0]:
ldapsearch with server side sort allows users to cause a crash
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10935
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10935
[1] https://pagure.io/389-ds-base/issue/49890
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Timo Aaltonen <tjaalton@debian.org>
:
You have taken responsibility.
(Wed, 22 Aug 2018 22:06:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 22 Aug 2018 22:06:05 GMT) (full text, mbox, link).
Message #10 received at 906985-close@bugs.debian.org (full text, mbox, reply):
Source: 389-ds-base
Source-Version: 1.4.0.15-1
We believe that the bug you reported is fixed in the latest version of
389-ds-base, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 906985@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated 389-ds-base package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 23 Aug 2018 00:46:45 +0300
Source: 389-ds-base
Binary: 389-ds 389-ds-base-libs 389-ds-base-dev 389-ds-base python3-lib389 python3-dirsrvtests cockpit-389-ds
Architecture: source
Version: 1.4.0.15-1
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Description:
389-ds - 389 Directory Server suite - metapackage
389-ds-base - 389 Directory Server suite - server
389-ds-base-dev - 389 Directory Server suite - development files
389-ds-base-libs - 389 Directory Server suite - libraries
cockpit-389-ds - Cockpit user interface for 389 Directory Server
python3-dirsrvtests - Python3 module for 389 Directory Server Continuous Integration te
python3-lib389 - Python3 module for accessing and configuring the 389 Directory Se
Closes: 906985
Changes:
389-ds-base (1.4.0.15-1) unstable; urgency=medium
.
* New upstream release
- CVE-2018-10935 (Closes: #906985)
* control: Add libcrack2-dev to build-depends.
Checksums-Sha1:
764a87da8161c433c5828ebe552b752e27f951ba 2802 389-ds-base_1.4.0.15-1.dsc
7909d06dab6a60b303d0c6091634e50aaa223eff 5667207 389-ds-base_1.4.0.15.orig.tar.bz2
403a3f99fe60595597c15888c57636c9fc210228 443524 389-ds-base_1.4.0.15-1.debian.tar.xz
f415877e552dff0f9210d22402fa28dabec94935 6865 389-ds-base_1.4.0.15-1_source.buildinfo
Checksums-Sha256:
239bc9cde795675a2a8863fbd0b10c8ff99a6c818684abf47a933861e5754de2 2802 389-ds-base_1.4.0.15-1.dsc
0989fdf59de8f7a22fd5f0d77cb5f5f6fc82d8a57cac272be7fcae40fb5150ae 5667207 389-ds-base_1.4.0.15.orig.tar.bz2
164ac352752f36fda53501b71c65b572702237c296f2113d70deaed39f6e6653 443524 389-ds-base_1.4.0.15-1.debian.tar.xz
3979764b289d066ac1a523c0498652cb362a9ed46ce2b419625a5405128119ed 6865 389-ds-base_1.4.0.15-1_source.buildinfo
Files:
634d27c024d0198193be6e77afc7a3fb 2802 net optional 389-ds-base_1.4.0.15-1.dsc
09d9dfc6d72dd45031599e73a12301c1 5667207 net optional 389-ds-base_1.4.0.15.orig.tar.bz2
c81ddd448e7834410d5efb2c933fb624 443524 net optional 389-ds-base_1.4.0.15-1.debian.tar.xz
61143474b4e720f3a8aa7c7a4e943a31 6865 net optional 389-ds-base_1.4.0.15-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAlt92dYACgkQy3AxZaiJ
hNxkRxAAgzesf5x9s3axdt5XpN41MhH/WlvzWXw76M/Hv/aTUrT0Gg6UqV9b9kiO
ZSeMg6HFWHi6Ad6QXR6FbOKqVVzfHnIq1y3FotxFrRutF6iHkhEvH5Zan/KpsXEI
7HIbb42r+j03HdDpfkcZV6Rlm9ASAZTs8+nqaVw1AcQH5uazqfXpb8I/xgV5NL9j
IdzL7/wOz5wYY+sB5sZ7drNT3CQRN0XzD+5wwTiq1lJTlpWgZG6dH4JbVFSm8nrr
QYga9Ndo8um9sU6J7kmgJXypozOXZXQaHUvnehL1uFqY/eIXYzegQRhCcNzDE3GR
oemfE5KLivFkRm9mopj6+O+8fDSymQmW3q9esUF4adCTyP8pb5l11Llxp7eWPvhS
ZEzD26Gp/6mXgWNQvUuYyVfhG2QUBjnz9m7xtw4FAGd+UNLzJPeRGghz4vgOfWP6
ISbiHefjhNUH4grvD5FDeaxPRmJ5ROCz7+rKRLWYDYe6a9JbNSssb+q9v27h0tig
hcw+ZLeNAplQcjjRbMygxZbToZyH3dJvou38+0NTFcyvHhiHhhSghAjZF5M5bML2
M+vDzI46Pq4dE6nFg4rPeS/sc3OL4NKgGW0ip/yVosvGKT3AH1vowbU2D3FzdtDX
1b34tz+zoUyblrHv1crListMN8zv8cq148Kv8UzuYMyZbARGmrA=
=RlWs
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 21 Sep 2018 07:30:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:46:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.