Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

389-ds-base: CVE-2018-14624: server crash through modify command with large DN

Related Vulnerabilities: CVE-2018-14624   CVE-2018-14638  

Source

Debian Bug report logs - #907778
389-ds-base: CVE-2018-14624: server crash through modify command with large DN

version graph

Package: src:389-ds-base; Maintainer for src:389-ds-base is Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 1 Sep 2018 20:45:01 UTC

Severity: important

Tags: security, upstream

Found in versions 389-ds-base/1.3.5.17-1, 389-ds-base/1.4.0.15-1, 389-ds-base/1.3.5.17-2

Fixed in version 389-ds-base/1.4.0.18-1

Done: Timo Aaltonen <tjaalton@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://pagure.io/389-ds-base/issue/49937

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>:
Bug#907778; Package src:389-ds-base. (Sat, 01 Sep 2018 20:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>. (Sat, 01 Sep 2018 20:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: 389-ds-base: CVE-2018-14624: server crash through modify command with large DN
Date: Sat, 01 Sep 2018 22:41:14 +0200
Source: 389-ds-base
Severity: important
Tags: security upstream

Hi

This bug is to start tracking the issue in the BTS, at the moment
there is not much informtation available. Reference to the CVE is at
https://bugzilla.redhat.com/show_bug.cgi?id=1619450 .

Have you more information on the issue/fix?

Regards,
Salvatore

Set Bug forwarded-to-address to 'https://pagure.io/389-ds-base/issue/49937'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 07 Sep 2018 20:21:02 GMT) (full text, mbox, link).

Marked as found in versions 389-ds-base/1.4.0.15-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 07 Sep 2018 20:21:03 GMT) (full text, mbox, link).

Marked as found in versions 389-ds-base/1.3.5.17-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 07 Sep 2018 20:24:02 GMT) (full text, mbox, link).

Marked as found in versions 389-ds-base/1.3.5.17-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 07 Sep 2018 20:24:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>:
Bug#907778; Package src:389-ds-base. (Wed, 12 Sep 2018 17:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Timo Aaltonen <tjaalton@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>. (Wed, 12 Sep 2018 17:27:03 GMT) (full text, mbox, link).

Message #18 received at 907778@bugs.debian.org (full text, mbox, reply):

From: Timo Aaltonen <tjaalton@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 907778@bugs.debian.org
Subject: Re: [Pkg-freeipa-devel] Bug#907778: 389-ds-base: CVE-2018-14624: server crash through modify command with large DN
Date: Wed, 12 Sep 2018 20:24:39 +0300
On 01.09.2018 23:41, Salvatore Bonaccorso wrote:
> Source: 389-ds-base
> Severity: important
> Tags: security upstream
> 
> Hi
> 
> This bug is to start tracking the issue in the BTS, at the moment
> there is not much informtation available. Reference to the CVE is at
> https://bugzilla.redhat.com/show_bug.cgi?id=1619450 .
> 
> Have you more information on the issue/fix?

Fixed in upstream git, waiting for 1.4.0.17.

https://pagure.io/389-ds-base/c/8ff8cb850

-- 
t

Reply sent to Timo Aaltonen <tjaalton@debian.org>:
You have taken responsibility. (Wed, 10 Oct 2018 22:21:07 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 10 Oct 2018 22:21:07 GMT) (full text, mbox, link).

Message #23 received at 907778-close@bugs.debian.org (full text, mbox, reply):

From: Timo Aaltonen <tjaalton@debian.org>
To: 907778-close@bugs.debian.org
Subject: Bug#907778: fixed in 389-ds-base 1.4.0.18-1
Date: Wed, 10 Oct 2018 22:19:05 +0000
Source: 389-ds-base
Source-Version: 1.4.0.18-1

We believe that the bug you reported is fixed in the latest version of
389-ds-base, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 907778@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated 389-ds-base package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 11 Oct 2018 00:56:02 +0300
Source: 389-ds-base
Binary: 389-ds 389-ds-base-libs 389-ds-base-dev 389-ds-base python3-lib389 python3-dirsrvtests cockpit-389-ds
Architecture: source
Version: 1.4.0.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Description:
 389-ds     - 389 Directory Server suite - metapackage
 389-ds-base - 389 Directory Server suite - server
 389-ds-base-dev - 389 Directory Server suite - development files
 389-ds-base-libs - 389 Directory Server suite - libraries
 cockpit-389-ds - Cockpit user interface for 389 Directory Server
 python3-dirsrvtests - Python3 module for 389 Directory Server Continuous Integration te
 python3-lib389 - Python3 module for accessing and configuring the 389 Directory Se
Closes: 907778 908859 910761
Changes:
 389-ds-base (1.4.0.18-1) unstable; urgency=medium
 .
   * New upstream release.
     - CVE-2018-14624 (Closes: #907778)
     - CVE-2018-14638 (Closes: #908859)
   * control: Build on any arch again.
   * perl-use-move-instead-of-rename.diff: Use copy instead of move,
     except when restoring files in case of an error.
   * Move the new utils (dsconf, dscreate, dsctl, dsidm) to python3-
     lib389.
   * control: Add python3-argcomplete to python3-lib389 depends. (Closes:
     #910761)
Checksums-Sha1:
 92f367a4785bb49dc2ed62e33eda2659a2a4967f 2709 389-ds-base_1.4.0.18-1.dsc
 2c7c22928c73631a59c38fe832c03c1cbfa6c22f 5678130 389-ds-base_1.4.0.18.orig.tar.bz2
 cd093c715ad62e5c393590110edd5d244eb88835 444480 389-ds-base_1.4.0.18-1.debian.tar.xz
 c89d8a9b7fd38d8499dcf181701035cf3deba281 7716 389-ds-base_1.4.0.18-1_source.buildinfo
Checksums-Sha256:
 af5ecd9264cbae4c4326e7c8af1c96e6f29fde293df85cb074403978fcb1c04f 2709 389-ds-base_1.4.0.18-1.dsc
 c53d77f287ecfb0dc08858a86fc3c5dfe70ebc311fc28adfba71e2a38147a0b4 5678130 389-ds-base_1.4.0.18.orig.tar.bz2
 5f16211cff6c16649d5e7f2abad2bc8dc27214bbd05f30d6f3f0ab4de9df7228 444480 389-ds-base_1.4.0.18-1.debian.tar.xz
 78cd2b29ab9961e4dab24f0c0bb94919bb6df52a3ed2c076f5f8f6fb1c7c7810 7716 389-ds-base_1.4.0.18-1_source.buildinfo
Files:
 c294806d543202b53478e949e638ae1b 2709 net optional 389-ds-base_1.4.0.18-1.dsc
 8fdd3dc701047b0a2c7741a67fae4e54 5678130 net optional 389-ds-base_1.4.0.18.orig.tar.bz2
 47c65b7549f230b0afa0248f49a49c08 444480 net optional 389-ds-base_1.4.0.18-1.debian.tar.xz
 bb975e07e5e57ac14a4948aad5f48404 7716 net optional 389-ds-base_1.4.0.18-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAlu+dYgACgkQy3AxZaiJ
hNyj+g/9GVujoozIhNwk1xak5q4S3NOFrvWKepzStVSfbuLDu3l9W7pOLBgLFjo9
xsoffR9JbPfZmrXKn7kN12YNS+hXQyCjMgQetsI5hWWE7ZLdO34FLhKfpOn7D879
pANPFbvnTI8PtACv8mKFIntdCd7DWCgc8Vpb/yQB4dg4I8KhB/3g2O9R/2pN23sF
cAxF3/OINQL01W3RVphPsdUdTSwcSmaow5SITO2zOvSVQIV7f1cXCO736h0/zzcC
9eBi8K4akiLIqCbLeOTd9aT6HqlApO89eJWnmCXaOnMUuUrTLJuTV/pbd/x4QtBA
iji6tKxezjbZGZTsjsNd6h8WtZse59DhjbP9IadUszBbyYQK+rjIoCh+OgignU81
c6EipSmL1W4F1wYhkRTeBDlP2yQ7K7DH9Y3O0jFPWqVXG0rpa1xucrqxxEuacVZG
3db5ju9DnH+BPTXR0fEI/w/jpETYBxnw4uOukVTbmmiTO1hbc4PSTMPiyjVtcN0L
fpBLZzxNIy9o9pRfED8zPRiZn2jGEBcjqrkcpu80lPRONWB+PLL7EMK4qxkpFvP0
+jIYCzR4XHqowNVrGCDEtaFoPhskvrW8HD0lNPXfUAGBes29LN5HRik0EloSKQCq
yTzLqKFUKBeuRYf6E5XDUS3ug2xqJxeMMjNalZqHsifD60k9zqQ=
=iH6u
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 08 Nov 2018 07:37:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:13:12 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started