From: Raspbian automatic forward porter <root@raspbian.org>
Date: Fri, 12 May 2023 09:12:30 +0000 (+0100)
Subject: Merge version 1.4.0.21-1+rpi1 and 1.4.0.21-1+deb10u1 to produce 1.4.0.21-1+rpi1+deb10u1
X-Git-Tag: archive/raspbian/1.4.0.21-1+rpi1+deb10u1^0
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=e5ec57348f1151df23068569d40615b6b418b143;p=389-ds-base.git

Merge version 1.4.0.21-1+rpi1 and 1.4.0.21-1+deb10u1 to produce 1.4.0.21-1+rpi1+deb10u1
---

e5ec57348f1151df23068569d40615b6b418b143
diff --cc debian/changelog
index 9690cb3,78a028f..a4e2cef
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,9 -1,33 +1,40 @@@
- 389-ds-base (1.4.0.21-1+rpi1) buster-staging; urgency=medium
++389-ds-base (1.4.0.21-1+rpi1+deb10u1) buster-staging; urgency=medium
 +
 +  [changes brought forward from 1.4.0.19-2+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 27 Dec 2018 01:27:25 +0000]
 +  * Add -latomic to LDFLAGS on armhf too.
 +
-  -- Raspbian forward porter <root@raspbian.org>  Mon, 25 Feb 2019 22:23:39 +0000
++ -- Raspbian forward porter <root@raspbian.org>  Fri, 12 May 2023 09:12:30 +0000
++
+ 389-ds-base (1.4.0.21-1+deb10u1) buster-security; urgency=medium
+ 
+   * Non-maintainer upload by the LTS Security Team.
+   * CVE-2021-4091: double free of the virtual attribute context in
+                    persistent search.
+   * CVE-2022-0918: an unauthenticated attacker with network access to
+                    the LDAP port
+                    can cause a denial of service.
+   * CVE-2022-0996: expired password was still allowed to access the database.
+   * CVE-2022-2850: possible NULL pointer dereference leading to a denial of
+                    service.
+   * CVE-2021-3652: importing an asterisk as password hashes enables successful
+                    authentication with any password, allowing attackers to
+                    access accounts with disabled passwords.
+   * CVE-2021-3514: an authenticated attacker can crash 389-ds-base using a
+                    specially crafted query in sync_repl client, due to a NULL
+                    pointer dereference.
+   * CVE-2019-14824:deref plugin vulnerability lets authenticated attackers
+                    access private attributes, like password hashes, using the
+                    'search' permission.
+   * CVE-2019-10224:vulnerability that may disclose sensitive information,
+                    including the Directory Manager password, when executing
+                    dscreate and dsconf commands in verbose mode.and dsconf
+                    commands in verbose mode and recording the terminal standard
+                    error output.
+   * CVE-2019-3883: SSL/TLS requests do not enforce ioblocktimeout limit, leading
+                    to DoS vulnerability by hanging all workers with hanging LDAP
+                    requests.
+ 
+  -- Anton Gladky <gladk@debian.org>  Mon, 24 Apr 2023 06:08:15 +0200
  
  389-ds-base (1.4.0.21-1) unstable; urgency=medium