Debian Bug report logs -
#908859
389-ds-base: CVE-2018-14638
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 15 Sep 2018 07:30:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions 389-ds-base/1.3.8.2-1, 389-ds-base/1.4.0.15-1
Fixed in version 389-ds-base/1.4.0.18-1
Done: Timo Aaltonen <tjaalton@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>:
Bug#908859; Package src:389-ds-base.
(Sat, 15 Sep 2018 07:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>.
(Sat, 15 Sep 2018 07:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: 389-ds-base
Version: 1.4.0.15-1
Severity: grave
Tags: security
Control: found -1 1.3.8.2-1
Hi,
The following vulnerability was published for 389-ds-base.
CVE-2018-14638[0]:
| A flaw was found in 389-ds-base before version 1.3.8.4-13. The process
| ns-slapd crashes in delete_passwdPolicy function when persistent
| search connections are terminated unexpectedly leading to remote
| denial of service.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-14638
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14638
[1] https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions 389-ds-base/1.3.8.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 15 Sep 2018 07:30:04 GMT) (full text, mbox, link).
Added tag(s) patch and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 15 Sep 2018 09:45:06 GMT) (full text, mbox, link).
Reply sent
to Timo Aaltonen <tjaalton@debian.org>:
You have taken responsibility.
(Wed, 10 Oct 2018 22:21:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 10 Oct 2018 22:21:09 GMT) (full text, mbox, link).
Message #14 received at 908859-close@bugs.debian.org (full text, mbox, reply):
Source: 389-ds-base
Source-Version: 1.4.0.18-1
We believe that the bug you reported is fixed in the latest version of
389-ds-base, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 908859@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated 389-ds-base package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 11 Oct 2018 00:56:02 +0300
Source: 389-ds-base
Binary: 389-ds 389-ds-base-libs 389-ds-base-dev 389-ds-base python3-lib389 python3-dirsrvtests cockpit-389-ds
Architecture: source
Version: 1.4.0.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Description:
389-ds - 389 Directory Server suite - metapackage
389-ds-base - 389 Directory Server suite - server
389-ds-base-dev - 389 Directory Server suite - development files
389-ds-base-libs - 389 Directory Server suite - libraries
cockpit-389-ds - Cockpit user interface for 389 Directory Server
python3-dirsrvtests - Python3 module for 389 Directory Server Continuous Integration te
python3-lib389 - Python3 module for accessing and configuring the 389 Directory Se
Closes: 907778 908859 910761
Changes:
389-ds-base (1.4.0.18-1) unstable; urgency=medium
.
* New upstream release.
- CVE-2018-14624 (Closes: #907778)
- CVE-2018-14638 (Closes: #908859)
* control: Build on any arch again.
* perl-use-move-instead-of-rename.diff: Use copy instead of move,
except when restoring files in case of an error.
* Move the new utils (dsconf, dscreate, dsctl, dsidm) to python3-
lib389.
* control: Add python3-argcomplete to python3-lib389 depends. (Closes:
#910761)
Checksums-Sha1:
92f367a4785bb49dc2ed62e33eda2659a2a4967f 2709 389-ds-base_1.4.0.18-1.dsc
2c7c22928c73631a59c38fe832c03c1cbfa6c22f 5678130 389-ds-base_1.4.0.18.orig.tar.bz2
cd093c715ad62e5c393590110edd5d244eb88835 444480 389-ds-base_1.4.0.18-1.debian.tar.xz
c89d8a9b7fd38d8499dcf181701035cf3deba281 7716 389-ds-base_1.4.0.18-1_source.buildinfo
Checksums-Sha256:
af5ecd9264cbae4c4326e7c8af1c96e6f29fde293df85cb074403978fcb1c04f 2709 389-ds-base_1.4.0.18-1.dsc
c53d77f287ecfb0dc08858a86fc3c5dfe70ebc311fc28adfba71e2a38147a0b4 5678130 389-ds-base_1.4.0.18.orig.tar.bz2
5f16211cff6c16649d5e7f2abad2bc8dc27214bbd05f30d6f3f0ab4de9df7228 444480 389-ds-base_1.4.0.18-1.debian.tar.xz
78cd2b29ab9961e4dab24f0c0bb94919bb6df52a3ed2c076f5f8f6fb1c7c7810 7716 389-ds-base_1.4.0.18-1_source.buildinfo
Files:
c294806d543202b53478e949e638ae1b 2709 net optional 389-ds-base_1.4.0.18-1.dsc
8fdd3dc701047b0a2c7741a67fae4e54 5678130 net optional 389-ds-base_1.4.0.18.orig.tar.bz2
47c65b7549f230b0afa0248f49a49c08 444480 net optional 389-ds-base_1.4.0.18-1.debian.tar.xz
bb975e07e5e57ac14a4948aad5f48404 7716 net optional 389-ds-base_1.4.0.18-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAlu+dYgACgkQy3AxZaiJ
hNyj+g/9GVujoozIhNwk1xak5q4S3NOFrvWKepzStVSfbuLDu3l9W7pOLBgLFjo9
xsoffR9JbPfZmrXKn7kN12YNS+hXQyCjMgQetsI5hWWE7ZLdO34FLhKfpOn7D879
pANPFbvnTI8PtACv8mKFIntdCd7DWCgc8Vpb/yQB4dg4I8KhB/3g2O9R/2pN23sF
cAxF3/OINQL01W3RVphPsdUdTSwcSmaow5SITO2zOvSVQIV7f1cXCO736h0/zzcC
9eBi8K4akiLIqCbLeOTd9aT6HqlApO89eJWnmCXaOnMUuUrTLJuTV/pbd/x4QtBA
iji6tKxezjbZGZTsjsNd6h8WtZse59DhjbP9IadUszBbyYQK+rjIoCh+OgignU81
c6EipSmL1W4F1wYhkRTeBDlP2yQ7K7DH9Y3O0jFPWqVXG0rpa1xucrqxxEuacVZG
3db5ju9DnH+BPTXR0fEI/w/jpETYBxnw4uOukVTbmmiTO1hbc4PSTMPiyjVtcN0L
fpBLZzxNIy9o9pRfED8zPRiZn2jGEBcjqrkcpu80lPRONWB+PLL7EMK4qxkpFvP0
+jIYCzR4XHqowNVrGCDEtaFoPhskvrW8HD0lNPXfUAGBes29LN5HRik0EloSKQCq
yTzLqKFUKBeuRYf6E5XDUS3ug2xqJxeMMjNalZqHsifD60k9zqQ=
=iH6u
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 08 Nov 2018 07:33:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:11:35 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon