Advisories » MGASA-2016-0350

Updated 389-ds-base packages fix security vulnerability

Publication date: 21 Oct 2016
Modification date: 21 Oct 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-4992

Description

A vulnerability in 389-ds-base was found that allows to bypass limitations
for compare and read operations specified by Access Control Instructions.
When having LDAP sub-tree with some existing objects and having BIND DN
which have no privileges over objects inside the sub-tree, unprivileged
user can send LDAP ADD operation specifying an object in (supposedly)
inaccessible sub-tree. The returned error messages discloses the
information when the queried object exists having the specified value.
Attacker can use this flaw to guess values of RDN component by repeating
the above process (CVE-2016-4992).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=19304
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D2LEPJLCLU4I6ROZM3NHIDSPKCZUF3DR/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4992

SRPMS

5/core

• 389-ds-base-1.3.4.14-1.mga5