Security update for 389-ds SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:3362-1 Final 1 1 2017-12-18T20:46:29Z current 2017-12-18T20:46:29Z 2017-12-18T20:46:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for 389-ds This update for 389-ds fixes the following issues: - CVE-2017-7551: 389-ds-base: Password brute-force possible for locked account due to different return codes (bsc#1051997) - CVE-2016-4992: 389-ds: Information disclosure via repeated use of LDAP ADD operation (bsc#997256) - CVE-2016-5405: 389-ds: Password verification vulnerable to timing attack (bsc#1007004) - CVE-2017-2591: 389-ds-base: Heap buffer overflow in uiduniq.c (bsc#1020670) - CVE-2017-2668 389-ds Remote crash via crafted LDAP messages (bsc#1069067) - CVE-2016-0741: 389-ds: worker threads do not detect abnormally closed connections causing DoS (bsc#1069074) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-12/msg00076.html E-Mail link for openSUSE-SU-2017:3362-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 389-ds-1.3.4.5-8.1 389-ds-devel-1.3.4.5-8.1 389-ds-1.3.4.5-8.1 as a component of openSUSE Leap 42.2 389-ds-devel-1.3.4.5-8.1 as a component of openSUSE Leap 42.2 389-ds-1.3.4.5-8.1 as a component of openSUSE Leap 42.3 389-ds-devel-1.3.4.5-8.1 as a component of openSUSE Leap 42.3 389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstation 6 through 7 allows remote attackers to infer the existence of RDN component objects. CVE-2016-4992 openSUSE Leap 42.2:389-ds-1.3.4.5-8.1 openSUSE Leap 42.2:389-ds-devel-1.3.4.5-8.1 openSUSE Leap 42.3:389-ds-1.3.4.5-8.1 openSUSE Leap 42.3:389-ds-devel-1.3.4.5-8.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-12/msg00076.html https://www.suse.com/security/cve/CVE-2016-4992.html CVE-2016-4992 https://bugzilla.suse.com/991201 SUSE Bug 991201 https://bugzilla.suse.com/997256 SUSE Bug 997256 389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstation 6 through 7 allows remote attackers to obtain user passwords. CVE-2016-5405 openSUSE Leap 42.2:389-ds-1.3.4.5-8.1 openSUSE Leap 42.2:389-ds-devel-1.3.4.5-8.1 openSUSE Leap 42.3:389-ds-1.3.4.5-8.1 openSUSE Leap 42.3:389-ds-devel-1.3.4.5-8.1 moderate 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-12/msg00076.html https://www.suse.com/security/cve/CVE-2016-5405.html CVE-2016-5405 https://bugzilla.suse.com/1007004 SUSE Bug 1007004 https://bugzilla.suse.com/1076530 SUSE Bug 1076530 389-ds-base before versions 1.3.5.17 and 1.3.6.10 is vulnerable to an invalid pointer dereference in the way LDAP bind requests are handled. A remote unauthenticated attacker could use this flaw to make ns-slapd crash via a specially crafted LDAP bind request, resulting in denial of service. CVE-2017-2668 openSUSE Leap 42.2:389-ds-1.3.4.5-8.1 openSUSE Leap 42.2:389-ds-devel-1.3.4.5-8.1 openSUSE Leap 42.3:389-ds-1.3.4.5-8.1 openSUSE Leap 42.3:389-ds-devel-1.3.4.5-8.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-12/msg00076.html https://www.suse.com/security/cve/CVE-2017-2668.html CVE-2017-2668 https://bugzilla.suse.com/1069067 SUSE Bug 1069067 389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different return codes returned on password attempts. CVE-2017-7551 openSUSE Leap 42.2:389-ds-1.3.4.5-8.1 openSUSE Leap 42.2:389-ds-devel-1.3.4.5-8.1 openSUSE Leap 42.3:389-ds-1.3.4.5-8.1 openSUSE Leap 42.3:389-ds-devel-1.3.4.5-8.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-12/msg00076.html https://www.suse.com/security/cve/CVE-2017-7551.html CVE-2017-7551 https://bugzilla.suse.com/1051997 SUSE Bug 1051997