Advisories » MGASA-2017-0340

Updated 389-ds-base packages fix security vulnerability

Publication date: 16 Sep 2017
Modification date: 15 Sep 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-7551

Description

The directory server password lockout policy prevents binds from
operating once a threshold of failed passwords has been met. During this
lockout, if you bind with a successful password, a different error code
is returned. This means that an attacker has no ratelimit or penalty
during an account lock, and can continue to attempt passwords via
bruteforce, using the change in return code to ascertain a sucessful
password auth (CVE-2017-7551).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=21671
• https://access.redhat.com/errata/RHSA-2017:2569
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7551

SRPMS

6/core

• 389-ds-base-1.3.5.17-1.1.mga6

5/core

• 389-ds-base-1.3.4.14-1.3.mga5