Bugzilla – Bug 1181159
VUL-0: CVE-2020-35518: 389-ds: information disclosure during the binding of a DN
Last modified: 2022-05-05 11:01:26 UTC
rh#1905565 When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database. References: https://bugzilla.redhat.com/show_bug.cgi?id=1905565 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35518 https://access.redhat.com/security/cve/CVE-2020-35518
@William: I could not identify patch so far, do you have an idea which one the right one would be ?
(In reply to Robert Frohl from comment #1) > @William: I could not identify patch so far, do you have an idea which one > the right one would be ? commit b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32 https://github.com/389ds/389-ds-base/issues/4609 1.4.3.19 resolves for 15sp2 and 1.4.4.12 for 15sp3 (not released yet). So I'll update these today.
SUSE-SU-2021:0724-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1181159 CVE References: CVE-2020-35518 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): 389-ds-1.4.3.19~git0.bef0b5bed-3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0418-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1181159 CVE References: CVE-2020-35518 JIRA References: Sources used: openSUSE Leap 15.2 (src): 389-ds-1.4.3.19~git0.bef0b5bed-lp152.2.12.1
not relevant enough to fix in: - SUSE:SLE-15:Update/389-ds - SUSE:SLE-15-SP1:Update/389-ds closing.