Updated 389-ds-base packages fix security vulnerability
Publication date: 16 Sep 2017Modification date: 15 Sep 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-7551
Description
The directory server password lockout policy prevents binds from operating once a threshold of failed passwords has been met. During this lockout, if you bind with a successful password, a different error code is returned. This means that an attacker has no ratelimit or penalty during an account lock, and can continue to attempt passwords via bruteforce, using the change in return code to ascertain a sucessful password auth (CVE-2017-7551).
References
SRPMS
6/core
- 389-ds-base-1.3.5.17-1.1.mga6
5/core
- 389-ds-base-1.3.4.14-1.3.mga5