Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

389-ds-base: CVE-2018-10935: ldapsearch with server side sort allows users to cause a crash

Related Vulnerabilities: CVE-2018-10935  

Source

Debian Bug report logs - #906985
389-ds-base: CVE-2018-10935: ldapsearch with server side sort allows users to cause a crash

version graph

Package: src:389-ds-base; Maintainer for src:389-ds-base is Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 22 Aug 2018 20:15:01 UTC

Severity: important

Tags: security, upstream

Found in version 389-ds-base/1.3.8.2-1

Fixed in version 389-ds-base/1.4.0.15-1

Done: Timo Aaltonen <tjaalton@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://pagure.io/389-ds-base/issue/49890

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>:
Bug#906985; Package src:389-ds-base. (Wed, 22 Aug 2018 20:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>. (Wed, 22 Aug 2018 20:15:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: 389-ds-base: CVE-2018-10935: ldapsearch with server side sort allows users to cause a crash
Date: Wed, 22 Aug 2018 22:10:35 +0200
Source: 389-ds-base
Version: 1.3.8.2-1
Severity: important
Tags: security upstream
Forwarded: https://pagure.io/389-ds-base/issue/49890

Hi,

The following vulnerability was published for 389-ds-base.

CVE-2018-10935[0]:
ldapsearch with server side sort allows users to cause a crash

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10935
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10935
[1] https://pagure.io/389-ds-base/issue/49890

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Timo Aaltonen <tjaalton@debian.org>:
You have taken responsibility. (Wed, 22 Aug 2018 22:06:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 22 Aug 2018 22:06:05 GMT) (full text, mbox, link).

Message #10 received at 906985-close@bugs.debian.org (full text, mbox, reply):

From: Timo Aaltonen <tjaalton@debian.org>
To: 906985-close@bugs.debian.org
Subject: Bug#906985: fixed in 389-ds-base 1.4.0.15-1
Date: Wed, 22 Aug 2018 22:04:09 +0000
Source: 389-ds-base
Source-Version: 1.4.0.15-1

We believe that the bug you reported is fixed in the latest version of
389-ds-base, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 906985@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated 389-ds-base package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 23 Aug 2018 00:46:45 +0300
Source: 389-ds-base
Binary: 389-ds 389-ds-base-libs 389-ds-base-dev 389-ds-base python3-lib389 python3-dirsrvtests cockpit-389-ds
Architecture: source
Version: 1.4.0.15-1
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Description:
 389-ds     - 389 Directory Server suite - metapackage
 389-ds-base - 389 Directory Server suite - server
 389-ds-base-dev - 389 Directory Server suite - development files
 389-ds-base-libs - 389 Directory Server suite - libraries
 cockpit-389-ds - Cockpit user interface for 389 Directory Server
 python3-dirsrvtests - Python3 module for 389 Directory Server Continuous Integration te
 python3-lib389 - Python3 module for accessing and configuring the 389 Directory Se
Closes: 906985
Changes:
 389-ds-base (1.4.0.15-1) unstable; urgency=medium
 .
   * New upstream release
     - CVE-2018-10935 (Closes: #906985)
   * control: Add libcrack2-dev to build-depends.
Checksums-Sha1:
 764a87da8161c433c5828ebe552b752e27f951ba 2802 389-ds-base_1.4.0.15-1.dsc
 7909d06dab6a60b303d0c6091634e50aaa223eff 5667207 389-ds-base_1.4.0.15.orig.tar.bz2
 403a3f99fe60595597c15888c57636c9fc210228 443524 389-ds-base_1.4.0.15-1.debian.tar.xz
 f415877e552dff0f9210d22402fa28dabec94935 6865 389-ds-base_1.4.0.15-1_source.buildinfo
Checksums-Sha256:
 239bc9cde795675a2a8863fbd0b10c8ff99a6c818684abf47a933861e5754de2 2802 389-ds-base_1.4.0.15-1.dsc
 0989fdf59de8f7a22fd5f0d77cb5f5f6fc82d8a57cac272be7fcae40fb5150ae 5667207 389-ds-base_1.4.0.15.orig.tar.bz2
 164ac352752f36fda53501b71c65b572702237c296f2113d70deaed39f6e6653 443524 389-ds-base_1.4.0.15-1.debian.tar.xz
 3979764b289d066ac1a523c0498652cb362a9ed46ce2b419625a5405128119ed 6865 389-ds-base_1.4.0.15-1_source.buildinfo
Files:
 634d27c024d0198193be6e77afc7a3fb 2802 net optional 389-ds-base_1.4.0.15-1.dsc
 09d9dfc6d72dd45031599e73a12301c1 5667207 net optional 389-ds-base_1.4.0.15.orig.tar.bz2
 c81ddd448e7834410d5efb2c933fb624 443524 net optional 389-ds-base_1.4.0.15-1.debian.tar.xz
 61143474b4e720f3a8aa7c7a4e943a31 6865 net optional 389-ds-base_1.4.0.15-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAlt92dYACgkQy3AxZaiJ
hNxkRxAAgzesf5x9s3axdt5XpN41MhH/WlvzWXw76M/Hv/aTUrT0Gg6UqV9b9kiO
ZSeMg6HFWHi6Ad6QXR6FbOKqVVzfHnIq1y3FotxFrRutF6iHkhEvH5Zan/KpsXEI
7HIbb42r+j03HdDpfkcZV6Rlm9ASAZTs8+nqaVw1AcQH5uazqfXpb8I/xgV5NL9j
IdzL7/wOz5wYY+sB5sZ7drNT3CQRN0XzD+5wwTiq1lJTlpWgZG6dH4JbVFSm8nrr
QYga9Ndo8um9sU6J7kmgJXypozOXZXQaHUvnehL1uFqY/eIXYzegQRhCcNzDE3GR
oemfE5KLivFkRm9mopj6+O+8fDSymQmW3q9esUF4adCTyP8pb5l11Llxp7eWPvhS
ZEzD26Gp/6mXgWNQvUuYyVfhG2QUBjnz9m7xtw4FAGd+UNLzJPeRGghz4vgOfWP6
ISbiHefjhNUH4grvD5FDeaxPRmJ5ROCz7+rKRLWYDYe6a9JbNSssb+q9v27h0tig
hcw+ZLeNAplQcjjRbMygxZbToZyH3dJvou38+0NTFcyvHhiHhhSghAjZF5M5bML2
M+vDzI46Pq4dE6nFg4rPeS/sc3OL4NKgGW0ip/yVosvGKT3AH1vowbU2D3FzdtDX
1b34tz+zoUyblrHv1crListMN8zv8cq148Kv8UzuYMyZbARGmrA=
=RlWs
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 21 Sep 2018 07:30:00 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:46:42 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started