projects / 389-ds-base.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(merge: ebafa41 c748aa3)
389-ds-base (1.4.0.21-1+deb10u1) buster-security; urgency=medium
authorAnton Gladky <gladk@debian.org>
Mon, 24 Apr 2023 04:08:15 +0000 (05:08 +0100)
committerAnton Gladky <gladk@debian.org>
Mon, 24 Apr 2023 04:08:15 +0000 (05:08 +0100)
commita478cb302275875710a55a32ff51903c3309e395
tree5e7f408673892c7a612e8f086000680143cea453tree | snapshot
parentebafa41940888baf819cb6aeee703f2b71e50075commit | diff
parentc748aa3b5ce4e2fbe24e15a888d122c160517341commit | diff
389-ds-base (1.4.0.21-1+deb10u1) buster-security; urgency=medium

  * Non-maintainer upload by the LTS Security Team.
  * CVE-2021-4091: double free of the virtual attribute context in
                   persistent search.
  * CVE-2022-0918: an unauthenticated attacker with network access to
                   the LDAP port
                   can cause a denial of service.
  * CVE-2022-0996: expired password was still allowed to access the database.
  * CVE-2022-2850: possible NULL pointer dereference leading to a denial of
                   service.
  * CVE-2021-3652: importing an asterisk as password hashes enables successful
                   authentication with any password, allowing attackers to
                   access accounts with disabled passwords.
  * CVE-2021-3514: an authenticated attacker can crash 389-ds-base using a
                   specially crafted query in sync_repl client, due to a NULL
                   pointer dereference.
  * CVE-2019-14824:deref plugin vulnerability lets authenticated attackers
                   access private attributes, like password hashes, using the
                   'search' permission.
  * CVE-2019-10224:vulnerability that may disclose sensitive information,
                   including the Directory Manager password, when executing
                   dscreate and dsconf commands in verbose mode.and dsconf
                   commands in verbose mode and recording the terminal standard
                   error output.
  * CVE-2019-3883: SSL/TLS requests do not enforce ioblocktimeout limit, leading
                   to DoS vulnerability by hanging all workers with hanging LDAP
                   requests.

[dgit import unpatched 389-ds-base 1.4.0.21-1+deb10u1]
58 files changed:
debian/389-ds-base-dev.install | | blob
debian/389-ds-base-legacy-tools.install | | blob
debian/389-ds-base-libs.install | | blob
debian/389-ds-base-libs.lintian-overrides | | blob
debian/389-ds-base.default | | blob
debian/389-ds-base.dirs | | blob
debian/389-ds-base.install | | blob
debian/389-ds-base.links | | blob
debian/389-ds-base.lintian-overrides | | blob
debian/389-ds-base.postinst | | blob
debian/389-ds-base.postrm | | blob
debian/389-ds-base.prerm | | blob
debian/README.Debian | | blob
debian/changelog | | blob
debian/cockpit-389-ds.install | | blob
debian/compat | | blob
debian/control | | blob
debian/copyright | | blob
debian/missing-sources/bootpopup.js | | blob
debian/missing-sources/bootstrap.js | | blob
debian/missing-sources/c3.js | | blob
debian/missing-sources/d3.js | | blob
debian/missing-sources/jquery-1.12.4.js | | blob
debian/missing-sources/jquery-3.3.1.js | | blob
debian/missing-sources/jquery-ui.js | | blob
debian/missing-sources/jquery.dataTables.js | | blob
debian/missing-sources/jquery.dataTables.select.js | | blob
debian/missing-sources/jquery.dropdown.js | | blob
debian/missing-sources/jquery.js | | blob
debian/missing-sources/jquery.timepicker.js | | blob
debian/missing-sources/jstree.js | | blob
debian/missing-sources/moment.js | | blob
debian/missing-sources/patternfly.js | | blob
debian/patches/CVE-2017-15135.patch | | blob
debian/patches/CVE-2019-10224.patch | | blob
debian/patches/CVE-2019-14824.patch | | blob
debian/patches/CVE-2019-3883.patch | | blob
debian/patches/CVE-2021-3514.patch | | blob
debian/patches/CVE-2021-3652.patch | | blob
debian/patches/CVE-2021-4091.patch | | blob
debian/patches/CVE-2022-0918.patch | | blob
debian/patches/CVE-2022-0996.patch | | blob
debian/patches/CVE-2022-2850.patch | | blob
debian/patches/fix-nss-path.diff | | blob
debian/patches/fix-obsolete-target.diff | | blob
debian/patches/fix-saslpath.diff | | blob
debian/patches/fix-systemctl-path.diff | | blob
debian/patches/icu_pkg-config.patch | | blob
debian/patches/perl-use-move-instead-of-rename.diff | | blob
debian/patches/rename-online-scripts.diff | | blob
debian/patches/series | | blob
debian/patches/use-bash-instead-of-sh.diff | | blob
debian/python3-lib389.install | | blob
debian/rules | | blob
debian/source/format | | blob
debian/tests/control | | blob
debian/tests/setup | | blob
debian/watch | | blob
Unnamed repository; edit this file 'description' to name the repository.