projects / 389-ds-base.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | combined (merge: 42fbea3 9ecb7b3)
Merge version 1.4.0.21-1+rpi1 and 1.4.0.21-1+deb10u1 to produce 1.4.0.21-1+rpi1+deb10u1 buster-staging archive/raspbian/1.4.0.21-1+rpi1+deb10u1 raspbian/1.4.0.21-1+rpi1+deb10u1
authorRaspbian automatic forward porter <root@raspbian.org>
Fri, 12 May 2023 09:12:30 +0000 (10:12 +0100)
committerRaspbian automatic forward porter <root@raspbian.org>
Fri, 12 May 2023 09:12:30 +0000 (10:12 +0100)
1  2 
debian/changelog patch | diff1 | diff2 | blob | history

diff --cc debian/changelog
index 9690cb302e39d2cda4da48d2120f0c1d9d486307,78a028fd9b237216cd5536bfc42abda14c581651..a4e2cef153014a903cc502bb090e84acf6bc32b4
--- 1/debian/changelog
--- 2/debian/changelog
+++ b/debian/changelog
@@@ -1,9 -1,33 +1,40 @@@
- 389-ds-base (1.4.0.21-1+rpi1) buster-staging; urgency=medium
++389-ds-base (1.4.0.21-1+rpi1+deb10u1) buster-staging; urgency=medium
 +
 +  [changes brought forward from 1.4.0.19-2+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 27 Dec 2018 01:27:25 +0000]
 +  * Add -latomic to LDFLAGS on armhf too.
 +
-  -- Raspbian forward porter <root@raspbian.org>  Mon, 25 Feb 2019 22:23:39 +0000
++ -- Raspbian forward porter <root@raspbian.org>  Fri, 12 May 2023 09:12:30 +0000
++
+ 389-ds-base (1.4.0.21-1+deb10u1) buster-security; urgency=medium
+   * Non-maintainer upload by the LTS Security Team.
+   * CVE-2021-4091: double free of the virtual attribute context in
+                    persistent search.
+   * CVE-2022-0918: an unauthenticated attacker with network access to
+                    the LDAP port
+                    can cause a denial of service.
+   * CVE-2022-0996: expired password was still allowed to access the database.
+   * CVE-2022-2850: possible NULL pointer dereference leading to a denial of
+                    service.
+   * CVE-2021-3652: importing an asterisk as password hashes enables successful
+                    authentication with any password, allowing attackers to
+                    access accounts with disabled passwords.
+   * CVE-2021-3514: an authenticated attacker can crash 389-ds-base using a
+                    specially crafted query in sync_repl client, due to a NULL
+                    pointer dereference.
+   * CVE-2019-14824:deref plugin vulnerability lets authenticated attackers
+                    access private attributes, like password hashes, using the
+                    'search' permission.
+   * CVE-2019-10224:vulnerability that may disclose sensitive information,
+                    including the Directory Manager password, when executing
+                    dscreate and dsconf commands in verbose mode.and dsconf
+                    commands in verbose mode and recording the terminal standard
+                    error output.
+   * CVE-2019-3883: SSL/TLS requests do not enforce ioblocktimeout limit, leading
+                    to DoS vulnerability by hanging all workers with hanging LDAP
+                    requests.
+  -- Anton Gladky <gladk@debian.org>  Mon, 24 Apr 2023 06:08:15 +0200
  
  389-ds-base (1.4.0.21-1) unstable; urgency=medium
  
Unnamed repository; edit this file 'description' to name the repository.