Bugzilla – Bug 991201
VUL-0: CVE-2016-5416: 389-ds: ACI readable by anonymous user
Last modified: 2020-04-11 22:50:59 UTC
Via RH: It was found that 389 Directory Server is vulnerable to a flaw in which the default ACI (Access control instructions) could be read by an anonymous user. This could lead to leakage to sensitive information. https://fedorahosted.org/389/ticket/48852 I guess this will be included in a future version, and if anything this look like a configuration issue and improvements of a default / addition of configuration options less prone to misconfiguration? References: https://bugzilla.redhat.com/show_bug.cgi?id=1349540 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5416
bugbot adjusting priority
ping, along with bug 997256?
Howard, could I bother you for a maintenance update for Leap for these bugs? 991201,997256,1007004,1020670,1051997,1069067,1069074
As of today, the upstream developers do not have a resolution to this issue according to https://pagure.io/389-ds-base/issue/48852
According to the RHSA[1] this is already fixed in the current version. @William: Could you double check and reassign to security? [1] https://access.redhat.com/errata/RHSA-2016:2594
This ticket confuses two issues IMO. First is the ticket about the targetaci issue - that's not a cve and is just something that can't be fixed. The second is the anonymous aci's being readable. Kerchoff's principle states "knowledge of the system, should not compromise the system", but CVE hunting means people assign ridiculous issues to software. This is not a security issue or risk in any way shape or form. There are some changes that have been made to the example aci's to "help" with this issue if people get CVE-paranoia. They are available in 1.4.0.22 and higher. I will be submitting an update soon for this. Thanks,
SUSE-SU-2019:2155-1: An update that solves 8 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1083689,1092187,1099465,1105606,1108674,1109609,1120189,1132385,1144797,991201 CVE References: CVE-2016-5416,CVE-2018-1054,CVE-2018-10871,CVE-2018-1089,CVE-2018-10935,CVE-2018-14638,CVE-2018-14648,CVE-2019-3883 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): 389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1 SUSE Linux Enterprise Module for Server Applications 15 (src): 389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): 389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): 389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done
This is an autogenerated message for OBS integration: This bug (991201) was mentioned in https://build.opensuse.org/request/show/793266 15.1 / 389-ds