[RHSA-2015:0416-02] Important: 389-ds-base security, bug fix, and enhancement update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Important: 389-ds-base security, bug fix, and enhancement update

Advisory ID: RHSA-2015:0416-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0416.html

Issue date: 2015-03-05

CVE Names: CVE-2014-8105 CVE-2014-8112

=====================================================================

 

1. Summary:

 

Updated 389-ds-base packages that fix two security issues, several bugs,

and add various enhancements are now available for Red Hat Enterprise

Linux 7.

 

Red Hat Product Security has rated this update as having Important security

impact. Common Vulnerability Scoring System (CVSS) base scores, which give

detailed severity ratings, are available for each vulnerability from the

CVE links in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64

Red Hat Enterprise Linux Server (v. 7) - x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

 

3. Description:

 

The 389 Directory Server is an LDAPv3 compliant server. The base packages

include the Lightweight Directory Access Protocol (LDAP) server and

command-line utilities for server administration.

 

An information disclosure flaw was found in the way the 389 Directory

Server stored information in the Changelog that is exposed via the

'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain

cases use this flaw to read data from the Changelog, which could include

sensitive information such as plain-text passwords.

(CVE-2014-8105)

 

It was found that when the nsslapd-unhashed-pw-switch 389 Directory Server

configuration option was set to "off", it did not prevent the writing of

unhashed passwords into the Changelog. This could potentially allow an

authenticated user able to access the Changelog to read sensitive

information. (CVE-2014-8112)

 

The CVE-2014-8105 issue was discovered by Petr Å paÄÂek of the Red Hat

Identity Management Engineering Team, and the CVE-2014-8112 issue was

discovered by Ludwig Krispenz of the Red Hat Identity Management

Engineering Team.

 

Enhancements:

 

* Added new WinSync configuration parameters: winSyncSubtreePair for

synchronizing multiple subtrees, as well as winSyncWindowsFilter and

winSyncDirectoryFilter for synchronizing restricted sets by filters.

(BZ#746646)

 

* It is now possible to stop, start, or configure plug-ins without the need

to restart the server for the change to take effect. (BZ#994690)

 

* Access control related to the MODDN and MODRDN operations has been

updated: the source and destination targets can be specified in the same

access control instruction. (BZ#1118014)

 

* The nsDS5ReplicaBindDNGroup attribute for using a group distinguished

name in binding to replicas has been added. (BZ#1052754)

 

* WinSync now supports range retrieval. If more than the MaxValRange number

of attribute values exist per attribute, WinSync synchronizes all the

attributes to the directory server using the range retrieval. (BZ#1044149)

 

* Support for the RFC 4527 Read Entry Controls and RFC 4533 Content

Synchronization Operation LDAP standards has been added. (BZ#1044139,

BZ#1044159)

 

* The Referential Integrity (referint) plug-in can now use an alternate

configuration area. The PlugInArg plug-in configuration now uses unique

configuration attributes. Configuration changes no longer require a server

restart. (BZ#1044203)

 

* The logconv.pl log analysis tool now supports gzip, bzip2, and xz

compressed files and also TAR archives and compressed TAR archives of these

files. (BZ#1044188)

 

* Only the Directory Manager could add encoded passwords or force users to

change their password after a reset. Users defined in the passwordAdminDN

attribute can now also do this. (BZ#1118007)

 

* The "nsslapd-memberofScope" configuration parameter has been added to the

MemberOf plug-in. With MemberOf enabled and a scope defined, moving a group

out of scope with a MODRDN operation failed. Moving a member entry out of

scope now correctly removes the memberof value. (BZ#1044170)

 

* The alwaysRecordLoginAttr attribute has been addded to the Account Policy

plug-in configuration entry, which allows to distinguish between an

attribute for checking the activity of an account and an attribute to be

updated at successful login. (BZ#1060032)

 

* A root DSE search, using the ldapsearch command with the '-s base -b ""'

options, returns only the user attributes instead of the operational

attributes. The "nsslapd-return-default" option has been added for backward

compatibility. (BZ#1118021)

 

* The configuration of the MemberOf plug-in can be stored in a suffix

mapped to a back-end database, which allows MemberOf configuration to be

replicated. (BZ#1044205)

 

* Added support for the SSL versions from the range supported by the NSS

library available on the system. Due to the POODLE vulnerability, SSLv3 is

disabled by default even if NSS supports it. (BZ#1044191)

 

4. Solution:

 

All 389-ds-base users are advised to upgrade to these updated packages,

which contain backported patches to correct these issues and add these

enhancements. After installing this update, the 389 server service will be

restarted automatically.

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

For details on how to apply this update, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

881372 - nsDS5BeginReplicaRefresh attribute accepts any value and it doesn't throw any error when server restarts.

920597 - Possible to add invalid ACI value

921162 - Possible to add nonexistent target to ACI

923799 - if nsslapd-cachememsize set to the number larger than the RAM available, should result in proper error message.

924937 - Attribute "dsOnlyMemberUid" not allowed when syncing nested posix groups from AD with posixWinsync

951754 - Self entry access ACI not working properly

975176 - Non-directory manager can change the individual userPassword's storage scheme

982597 - Some attributes in cn=config should not be multivalued

994690 - [RFE] Allow dynamically adding/enabling/disabling/removing plugins without requiring a server restart

1012991 - errorlog-level 16384 is listed as 0 in cn=config

1013736 - Enabling/Disabling DNA plug-in throws "ldap_modify: Server Unwilling to Perform (53)" error

1014380 - setup-ds.pl doesn't lookup the "root" group correctly

1024541 - start dirsrv after ntpd

1029959 - Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry

1031216 - add dbmon.sh

1044133 - Indexed search with filter containing '&' and "!" with attribute subtypes gives wrong result

1044134 - [RFE] should set LDAP_OPT_X_SASL_NOCANON to LDAP_OPT_ON by default

1044135 - [RFE] make connection buffer size adjustable

1044137 - [RFE] posix winsync should support ADD user/group entries from DS to AD

1044138 - mep_pre_op: Unable to fetch origin entry

1044139 - [RFE] Support RFC 4527 Read Entry Controls

1044140 - Allow search to look up 'in memory RUV'

1044141 - MMR stress test with dna enabled causes a deadlock

1044142 - winsync doesn't sync DN valued attributes if DS DN value doesn't exist

1044143 - modrdn + NSMMReplicationPlugin - Consumer failed to replay change

1044144 - resurrected entry is not correctly indexed

1044146 - Add a warning message when a connection hits the max number of threads

1044147 - 7-bit check plugin does not work for userpassword attribute

1044148 - The backend name provided to bak2db is not validated

1044149 - [RFE] Winsync should support range retrieval

1044150 - 7-bit checking is not necessary for userPassword

1044151 - With SeLinux, ports can be labelled per range. setup-ds.pl or setup-ds-admin.pl fail to detect already ranged labelled ports

1044152 - ChainOnUpdate: "cn=directory manager" can modify userRoot on consumer without changes being chained or replicated. Directory integrity compromised.

1044153 - mods optimizer

1044154 - multi master replication allows schema violation

1044156 - DS crashes with some 7-bit check plugin configurations

1044157 - Some updates of "passwordgraceusertime" are useless when up[censored] "userpassword"

1044159 - [RFE] Support 'Content Synchronization Operation' (SyncRepl) - RFC 4533

1044160 - remove-ds.pl should remove /var/lock/dirsrv

1044162 - enhance retro changelog

1044163 - updates to ruv entry are written to retro changelog

1044164 - Password administrators should be able to violate password policy

1044168 - Schema replication between DS versions may overwrite newer base schema

1044169 - [RFE] ACIs do not allow attribute subtypes in targetattr keyword

1044170 - [RFE] Allow memberOf suffixes to be configurable

1044171 - [RFE] Allow referential integrity suffixes to be configurable

1044172 - Plugin library path validation prevents intentional loading of out-of-tree modules

1044173 - [RFE] make referential integrity configuration more flexible

1044177 - allow configuring changelog trim interval

1044179 - objectclass may, must lists skip rest of objectclass once first is found in sup

1044180 - memberOf on a user is converted to lowercase

1044181 - report unindexed internal searches

1044183 - With 1.3.04 and subtree-renaming OFF, when a user is deleted after restarting the server, the same entry can't be added

1044185 - dbscan on entryrdn should show all matching values

1044187 - [RFE] logconv.pl - add on option for a minimum etime for unindexed search stats

1044188 - [RFE] Recognize compressed log files

1044191 - [RFE] support TLSv1.1 and TLSv1.2, if supported by NSS

1044193 - default nsslapd-sasl-max-buffer-size should be 2MB

1044194 - Complex filter in a search request doen't work as expected.

1044196 - Automember plug-in should treat MODRDN operations as ADD operations

1044198 - Replication of the schema may overwrite consumer 'attributetypes' even if consumer definition is a superset

1044202 - db2bak.pl issue when specifying non-default directory

1044203 - [RFE] Allow referint plugin to use an alternate config area

1044205 - [RFE] Allow memberOf to use an alternate config area

1044210 - idl switch does not work

1044211 - [RFE] make old-idl tunable

1044212 - IDL-style can become mismatched during partial restoration

1044213 - backend performance - introduce optimization levels

1044215 - using transaction batchval violates durability

1044216 - examine replication code to reduce amount of stored state information

1048980 - 7-bit check plugin not checking MODRDN operation

1049030 - Windows Sync group issues

1052751 - Page control does not work if effective rights control is specified

1052754 - [RFE] Allow nsDS5ReplicaBindDN to be a group DN

1057803 - logconv errors when search has invalid bind dn

1061060 - betxn: retro changelog broken after cancelled transaction

1063990 - single valued attribute replicated ADD does not work

1064006 - Size returned by slapi_entry_size is not accurate

1064986 - Replication retry time attributes cannot be added

1067090 - Missing warning for invalid replica backoff configuration

1072032 - Up[censored] nsds5ReplicaHost attribute in a replication agreement fails with error 53

1074306 - Under heavy stress, failure of turning a tombstone into glue makes the server hung

1074447 - Part of DNA shared configuration is deleted after server restart

1076729 - Continuous add/delete of an entry in MMR setup causes entryrdn-index conflict

1077884 - ldap/servers/slapd/back-ldbm/dblayer.c: possible minor problem with sscanf

1077897 - Memory leak with proxy auth control

1079099 - Simultaneous adding a user and binding as the user could fail in the password policy check

1080186 - Creating a glue fails if one above level is a conflict or missing

1082967 - attribute uniqueness plugin fails when set as a chaining component

1086890 - empty modify returns LDAP_INVALID_DN_SYNTAX

1086902 - mem leak in do_bind when there is an error

1086904 - mem leak in do_search - rawbase not freed upon certain errors

1086908 - Performing deletes during tombstone purging results in operation errors

1090178 - #481 breaks possibility to reassemble memberuid list

1092099 - A replicated MOD fails (Unwilling to perform) if it targets a tombstone

1092342 - nsslapd-ndn-cache-max-size accepts any invalid value.

1092648 - Negative value of nsSaslMapPriority is not reset to lowest priority

1097004 - Problem with deletion while replicated

1098654 - db2bak.pl error with changelogdb

1099654 - Normalization from old DN format to New DN format doesnt handel condition properly when there is space in a suffix after the seperator operator.

1108298 - Rebase 389-ds-base to 1.3.3

1108405 - find a way to remove replication plugin errors messages "changelog iteration code returned a dummy entry with csn %s, skipping ..."

1108407 - managed entry plugin fails to update managed entry pointer on modrdn operation

1108872 - Logconv.pl with an empty access log gives lots of errors

1108874 - logconv.pl memory continually grows

1108881 - rsearch filter error on any search filter

1108895 - [RFE] CLI report to monitor replication

1108902 - rhds91 389-ds-base-1.2.11.15-31.el6_5.x86_64 crash in db4 __dbc_get_pp env = 0x0 ?

1108909 - single valued attribute replicated ADD does not work

1109334 - 389 Server crashes if uniqueMember is invalid syntax and memberOf plugin is enabled.

1109336 - Parent numsubordinate count can be incorrectly updated if an error occurs

1109339 - Nested tombstones become orphaned after purge

1109354 - Tombstone purging can crash the server if the backend is stopped/disabled

1109357 - Coverity issue in 1.3.3

1109364 - valgrind - value mem leaks, uninit mem usage

1109375 - provide default syntax plugin

1109378 - Environment variables are not passed when DS is started via service

1111364 - Up[censored] winsync one-way sync does not affect the behaviour dynamically

1112824 - Broken dereference control with the FreeIPA 4.0 ACIs

1113605 - server restart wipes out index config if there is a default index

1115177 - attrcrypt_generate_key calls slapd_pk11_TokenKeyGenWithFlags with improper macro

1117021 - Server deadlock if online import started while server is under load

1117975 - paged results control is not working in some cases when we have a subsuffix.

1117979 - harden the list of ciphers available by default

1117981 - Fix various typos in manpages & code

1117982 - Fix hyphens used as minus signed and other manpage mistakes

1118002 - server crashes deleting a replication agreement

1118006 - [RFE] forcing passwordmustchange attribute by non-cn=directory manager

1118007 - [RFE] Make it possible for privileges to be provided to an admin user to import an LDIF file containing hashed passwords

1118014 - [RFE] Enhance ACIs to have more control over MODRDN operations

1118021 - [RFE] Don't return all attributes in rootdse without explicit request

1118032 - Schema Replication Issue

1118043 - Failed deletion of aci: no such attribute

1118048 - If be_txn plugin fails in ldbm_back_add, adding entry is double freed.

1118051 - Add switch to disable pre-hashed password checking

1118054 - Make ldbm_back_seq independently support transactions

1118055 - Add operations rejected by betxn plugins remain in cache

1118057 - online import crashes server if using verbose error logging

1118059 - [RFE] add fixup-memberuid.pl script

1118060 - winsync plugin modify is broken

1118066 - [RFE] memberof scope: allow to exclude subtrees

1118069 - 389-ds production segfault: __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:144

1118074 - ds logs many "SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN plugin returned error" messages

1118076 - ds logs many "Operation error fetching Null DN" messages

1118077 - Improve import logging and abort handling

1118079 - Multi master replication initialization incomplete after restore of one master

1118080 - Don't add unhashed password mod if we don't have an unhashed value

1118081 - Investigate betxn plugins to ensure they return the correct error code

1118082 - The error result text message should be obtained just prior to sending result

1139882 - coverity defects found in 1.3.3.x

1140888 - Broken dereference control with the FreeIPA 4.0 ACIs

1145846 - 389-ds 1.3.3.0 does not adjust cipher suite configuration on upgrade, breaks itself and pki-server: "Cipher suite fortezza is not available in NSS 3.17" , "Cannot communicate securely with peer: no common encryption algorithm(s)."

1150206 - result of dna_dn_is_shared_config is incorrectly used

1150694 - Encoding of SearchResultEntry is missing tag

1150695 - ldbm_back_modify SLAPI_PLUGIN_BE_PRE_MODIFY_FN does not return even if one of the preop plugins fails.

1151287 - dynamically added macro aci is not evaluated on the fly

1153737 - Disable SSL v3, by default.

1156607 - Crash in entry_add_present_values_wsi_multi_valued

1162997 - Directory Server crashes while trying to perform export task for automember plugin with dynamic plugin on.

1163461 - Should not check aci syntax when deleting an aci

1166252 - RHEL7.1 ns-slapd segfault when ipa-replica-install restarts dirsrv

1166260 - cookie_change_info returns random negative number if there was no change in a tree

1167858 - CVE-2014-8105 389-ds-base: information disclosure through 'cn=changelog' subtree

1170707 - cos_cache_build_definition_list does not stop during server shutdown

1170708 - COS memory leak when rebuilding the cache

1170709 - Account lockout attributes incorrectly updated after failed SASL Bind

1171355 - start dirsrv after chrony

1171356 - Bind DN tracking unable to write to internalModifiersName without special permissions

1172597 - Server crashes when memberOf plugin is partially configured

1172729 - CVE-2014-8112 389-ds-base: password hashing bypassed when "nsslapd-unhashed-pw-switch" is set to off

1173273 - [RFE] BDB backend - clear free page files to reduce main db and changelog db size

1180325 - RHEL 7.1 ipa-server-4.1.0 upgrade fails

1182477 - User enable/disable does not sync with ipawinsyncacctdisable set to both

1183655 - IPA replica missing data after master upgraded

 

6. Package List:

 

Red Hat Enterprise Linux Client Optional (v. 7):

 

Source:

389-ds-base-1.3.3.1-13.el7.src.rpm

 

x86_64:

389-ds-base-1.3.3.1-13.el7.x86_64.rpm

389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm

389-ds-base-devel-1.3.3.1-13.el7.x86_64.rpm

389-ds-base-libs-1.3.3.1-13.el7.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

 

Source:

389-ds-base-1.3.3.1-13.el7.src.rpm

 

x86_64:

389-ds-base-1.3.3.1-13.el7.x86_64.rpm

389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm

389-ds-base-devel-1.3.3.1-13.el7.x86_64.rpm

389-ds-base-libs-1.3.3.1-13.el7.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 7):

 

Source:

389-ds-base-1.3.3.1-13.el7.src.rpm

 

x86_64:

389-ds-base-1.3.3.1-13.el7.x86_64.rpm

389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm

389-ds-base-libs-1.3.3.1-13.el7.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 7):

 

x86_64:

389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm

389-ds-base-devel-1.3.3.1-13.el7.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 7):

 

Source:

389-ds-base-1.3.3.1-13.el7.src.rpm

 

x86_64:

389-ds-base-1.3.3.1-13.el7.x86_64.rpm

389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm

389-ds-base-libs-1.3.3.1-13.el7.x86_64.rpm

 

Red Hat Enterprise Linux Workstation Optional (v. 7):

 

x86_64:

389-ds-base-debuginfo-1.3.3.1-13.el7.x86_64.rpm

389-ds-base-devel-1.3.3.1-13.el7.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2014-8105

https://access.redhat.com/security/cve/CVE-2014-8112

https://access.redhat.com/security/updates/classification/#important

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2015 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFU+Gu4XlSAg2UNWIIRArLbAJ4tEDwAhKtaOZvw+UaJ//ynpIhmFACfSlAp

PthBh7lPAwEIEoahfYVfBIg=

=c1GO

-----END PGP SIGNATURE-----

 

 

--