Bug 997256 (CVE-2016-4992)

Summary:	VUL-0: CVE-2016-4992: 389-ds: Information disclosure via repeated use of LDAP ADD operation
Product:	[openSUSE] openSUSE Distribution	Reporter:	Andreas Stieger <astieger>
Component:	Security	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Minor
Priority:	P3 - Medium	CC:	aj, hguo, jengelh, karol, mrueckert, security-team
Version:	Leap 42.3
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/170279/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Andreas Stieger 2016-09-05 14:08:30 UTC

http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-5-13.html

Detailed Changelog since 1.3.5.4

    CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation, etc.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1347760
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4992
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4992.html

Comment 1 Marcus Rückert 2016-09-05 14:11:01 UTC

note there is also a mention of tmp file bugs metioned in the change log at http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-5-13.html

Comment 2 Swamp Workflow Management 2016-09-05 22:01:59 UTC

bugbot adjusting priority

Comment 3 Andreas Stieger 2017-11-20 22:03:24 UTC

master:
https://pagure.io/389-ds-base/c/b8767d510d11c7cbfede24daaae3348b9f028f47
https://pagure.io/389-ds-base/c/caa351ae0cc81cbf2309a43c5f74b359cda152d0
https://pagure.io/389-ds-base/c/8bfe4bbf3d61d4eaf4abac6515c95b38ac39b195

1.3.4.x branch:
https://pagure.io/389-ds-base/c/e88a1ba32ec1b02f278e7febef6024f4e6bf9f55
https://pagure.io/389-ds-base/c/c5521864b2996db2ae18f24ef34acb6aec92ad78
https://pagure.io/389-ds-base/c/b338616f66d4d51536b94edd9ae7f0dd10fbebd0
https://pagure.io/389-ds-base/c/bd0bf95baa1c2807e144efbd30bad45237fd53e1

Can you roll an update?

Comment 4 Andreas Stieger 2017-11-20 22:39:21 UTC

Howard, could I bother you for a maintenance update for Leap for these bugs?
991201,997256,1007004,1020670,1051997,1069067,1069074

Comment 5 Bernhard Wiedemann 2017-12-05 11:40:25 UTC

This is an autogenerated message for OBS integration:
This bug (997256) was mentioned in
https://build.opensuse.org/request/show/548604 42.2 / 389-ds

Comment 6 Bernhard Wiedemann 2017-12-06 14:40:23 UTC

This is an autogenerated message for OBS integration:
This bug (997256) was mentioned in
https://build.opensuse.org/request/show/554810 42.2 / 389-ds

Comment 7 Andreas Stieger 2017-12-18 20:46:09 UTC

releasing, done. Thanks Howard

Comment 8 Swamp Workflow Management 2017-12-19 02:07:59 UTC

openSUSE-SU-2017:3362-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1007004,1020670,1051997,1069067,1069074,997256
CVE References: CVE-2016-4992,CVE-2016-5405,CVE-2017-2668,CVE-2017-7551
Sources used:
openSUSE Leap 42.3 (src):    389-ds-1.3.4.5-8.1
openSUSE Leap 42.2 (src):    389-ds-1.3.4.5-5.5.1

Comment 9 Karol Babioch 2018-01-09 13:50:32 UTC

All updates released.