Debian Bug report logs -
#888451
389-ds-base: CVE-2017-15135: Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 25 Jan 2018 20:39:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version 389-ds-base/1.3.7.8-4
Fixed in version 389-ds-base/1.3.7.9-1
Done: Timo Aaltonen <tjaalton@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>:
Bug#888451; Package src:389-ds-base.
(Thu, 25 Jan 2018 20:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>.
(Thu, 25 Jan 2018 20:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: 389-ds-base
Version: 1.3.7.8-4
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerability was published for 389-ds-base.
CVE-2017-15135[0]:
| It was found that 389-ds-base since 1.3.6.1 up to and including
| 1.4.0.3 did not always handle internal hash comparison operations
| correctly during the authentication process. A remote, unauthenticated
| attacker could potentially use this flaw to bypass the authentication
| process under very rare and specific circumstances.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15135
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15135
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1525628
Please adjust the affected versions in the BTS as needed, the issue
was introduced after the CVE-2016-5405 fix it is said, needs to be
verfied which suites are affected, at least stretch seems so. So far I
only looked at sid source.
Regards,
Salvatore
[CVE-2017-15135.patch (text/plain, attachment)]
Reply sent
to Timo Aaltonen <tjaalton@debian.org>:
You have taken responsibility.
(Mon, 05 Feb 2018 15:24:18 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 05 Feb 2018 15:24:18 GMT) (full text, mbox, link).
Message #10 received at 888451-close@bugs.debian.org (full text, mbox, reply):
Source: 389-ds-base
Source-Version: 1.3.7.9-1
We believe that the bug you reported is fixed in the latest version of
389-ds-base, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 888451@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated 389-ds-base package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 05 Feb 2018 16:25:09 +0200
Source: 389-ds-base
Binary: 389-ds 389-ds-base-libs 389-ds-base-dev 389-ds-base python3-lib389 python3-dirsrvtests
Architecture: source
Version: 1.3.7.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Description:
389-ds - 389 Directory Server suite - metapackage
389-ds-base - 389 Directory Server suite - server
389-ds-base-dev - 389 Directory Server suite - development files
389-ds-base-libs - 389 Directory Server suite - libraries
python3-dirsrvtests - Python3 module for 389 Directory Server Continuous Integration te
python3-lib389 - Python3 module for accessing and configuring the 389 Directory Se
Closes: 888451 888452
Changes:
389-ds-base (1.3.7.9-1) unstable; urgency=medium
.
* New upstream release.
- CVE-2017-15134 (Closes: #888452)
* patches: Fix CVE-2017-15135. (Closes: #888451)
* tests: Add some debug output.
Checksums-Sha1:
d6057d4029733987b58726d2086437d6612f2ece 2737 389-ds-base_1.3.7.9-1.dsc
a3b49138c588c8389e547622ea62fa77e7f0005b 3573617 389-ds-base_1.3.7.9.orig.tar.bz2
efbccfd6e1b62487cfbde401335f08402e68bbb6 23664 389-ds-base_1.3.7.9-1.debian.tar.xz
Checksums-Sha256:
744149e318639702c9d55b6167901a72d0bb81904b1d7a3de60afbd0d097106f 2737 389-ds-base_1.3.7.9-1.dsc
fe9e7bee67ff6ce8b41d7e7c74dae79bd69711bcb488fe8c226e218357331e37 3573617 389-ds-base_1.3.7.9.orig.tar.bz2
7dcce3f6c1be57cb16f839cd60f2c61f3daa133e33e0e178a3643f23cf383198 23664 389-ds-base_1.3.7.9-1.debian.tar.xz
Files:
e7bd5b53d457f0c8067b9a316ac653e0 2737 net optional 389-ds-base_1.3.7.9-1.dsc
1f40ad0aec80cc2b084a2914d2dd6370 3573617 net optional 389-ds-base_1.3.7.9.orig.tar.bz2
50979bbacef1c4705e2a93584cf9177e 23664 net optional 389-ds-base_1.3.7.9-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJaeGpRAAoJEMtwMWWoiYTcS7gP/jfcYJZcOxm95mEy03tQd+v8
wmSR2+vWQbHz+8Vl3HZZtepB1lDKu0YdvYKVGtJxdSNcZ3FSzhZT+rXrEb4cqWue
MYD1Y2njzK7GWrOXIE8Lx/wC4vFhzdsApxX0FVgpsW6HPGdB0ebG06c9gx1aK/Ol
nB+6WjgNOCp1FlqiypNhjzhDMKuLz9/hpNSL5VNVRXTeVdB8Lw9/0K47XMEKpYY6
9YnfnT1LgynPJHBanwPwUdK3NeEtpDgjKADAlfy7ozLndVA7ka2BjKYXZ7zBFHCt
YxQOBI6fp5QpiYjo7M5XTYxCobeQdmt9GhNajVrPvI9xFKEZJVqoYwEphsMvjEJZ
m4C5Ih646c9A6yA7HeZx54lpdUbAMwrb8DcMRS7lgAqwIEHQdgTt+ubPSyCfMy3c
nWlyBkYxTui/AL+i+lo7UooNGGbosQCsO7n+q2g3T0+MIAzV0gCEhEGvptLrIjjW
yWDJGp1j7Nl22A82/3bsYnUK/a5jhmJvaCdiivFr6QnVcrfRtXZY6CBErMlYbyEv
6+UoIHCOtkYjdJZRj6XaRdh9GYa7M0v2yrh0v5facqzfmoxcHTn59TYIT4vNtNZv
gCjCDKIijY28Om8niltDbOiw+OlNi2jjZG2N2MInw87fdrCGCi0rKk++RyOi/4Yl
2owN6Q/ctz1EGP90E92Q
=f6bA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 06 Mar 2018 07:29:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:23:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon