| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| fix-saslpath.diff | no | |||||
| CVE-2017-15135.patch | [PATCH] Ticket bz1525628 - invalid password migration causes unauth bind Bug Description: Slapi_ct_memcmp expects both inputs to be at LEAST size n. If they are not, we only compared UP to n. Invalid migrations of passwords (IE {CRYPT}XX) would create a pw which is just salt and no hash. ct_memcmp would then only verify the salt bits and would allow the authentication. This relies on an administrative mistake both of allowing password migration (nsslapd-allow-hashed-passwords) and then subsequently migrating an INVALID password to the server. Fix Description: slapi_ct_memcmp now access n1, n2 size and will FAIL if they are not the same, but will still compare n bytes, where n is the "longest" memory, to the first byte of the other to prevent length disclosure of the shorter value (generally the mis-migrated password) https://bugzilla.redhat.com/show_bug.cgi?id=1525628 Review by: ??? |
wibrown | no | 2018-01-18 | ||
| fix-s390x-failure.diff | commit 900e6fdcf152dd696b5ae189cb1d7c67ab143bae Issue 4563 - Failure on s390x: 'Fails to split RDN "o=pki-tomcat-CA" into components' (#4573) Bug description: SLAPI_OPERATION_TYPE is a stored/read as an int (slapi_pblock_get/set). This although the storage field is an unsigned long. Calling slapi_pblock_get with an long (8 btyes) destination creates a problem on big-endian (s390x). Fix description: Define destination op_type as an int (4 bytes) relates: https://github.com/389ds/389-ds-base/issues/4563 Reviewed by: Mark Reynolds, William Brown Platforms tested: F31 (little endian), Debian (big endian) diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c index a507f3c31..49ca01d1d 100644 |
tbordaz <tbordaz@redhat.com> | no | 2021-01-28 | ||
| 4711-SIGSEV-with-sync_repl-4738.patch | [PATCH] Issue 4711 - SIGSEV with sync_repl (#4738) Bug description: sync_repl sends back entries identified with a unique identifier that is 'nsuniqueid'. If 'nsuniqueid' is missing, then it may crash Fix description: Check a nsuniqueid is available else returns OP_ERR Reviewed by: Pierre Rogier, James Chapman, William Brown (Thanks!) Platforms tested: F33 |
tbordaz <tbordaz@redhat.com> | no | 2021-04-27 | ||
| CVE-2024-2199.patch | Security fix for CVE-2024-2199 Description: A denial of service vulnerability was found in the 389 Directory Server. This issue may allow an authenticated user to cause a server crash while modifying userPassword using malformed input. Fix Description: When doing a mod on userPassword we reset the pblock modifier after we set the modified timestamp, ensuring the pblock data stays valid. References: - https://nvd.nist.gov/vuln/detail/CVE-2024-2199 - https://access.redhat.com/security/cve/CVE-2024-2199 - https://bugzilla.redhat.com/show_bug.cgi?id=2267976 |
James Chapman <jachapma@redhat.com> | no | upstream, commit:a9d87c9dbef85506eedc31d96da8a68766b4fc91 | 2024-05-01 | |
| CVE-2024-3657.patch | Security fix for CVE-2024-3657 Description: A flaw was found in the 389 Directory Server. A specially-crafted LDAP query can potentially cause a failure on the directory server, leading to a denial of service. Fix Description: The code was modified to avoid a buffer overflow when logging some requests in the audit log. References: - https://nvd.nist.gov/vuln/detail/CVE-2024-3657 - https://access.redhat.com/security/cve/CVE-2024-3657 - https://bugzilla.redhat.com/show_bug.cgi?id=2274401 |
Pierre Rogier <progier@redhat.com> | no | upstream, commit:1cbd6144eecdfaab0f7a84a92cc3de7ee413ac3f | 2024-04-17 | |
| CVE-2024-5953.patch | Security fix for CVE-2024-5953 Description: A denial of service vulnerability was found in the 389 Directory Server. This issue may allow an authenticated user to cause a server denial of service while attempting to log in with a user with a malformed hash in their password. Fix Description: To prevent buffer overflow when a bind request is processed, the bind fails if the hash size is not coherent without even attempting to process further the hashed password. References: - https://nvd.nist.gov/vuln/detail/CVE-2024-5953 - https://access.redhat.com/security/cve/CVE-2024-5953 - https://bugzilla.redhat.com/show_bug.cgi?id=2292104 |
Pierre Rogier <progier@redhat.com> | no | upstream, commit:b7a266f7fd07661afb0c979e76ff8a3a8b9dd0ae | 2024-06-14 | |
| CVE-2021-3652-locked-crypt-accounts-may-allow-all-pwd.patch | CVE-2021-3652 - locked crypt accounts on import may allow all passwords (#4819) - Issue 4817 - BUG Bug Description: Due to mishanding of short dbpwd hashes, the crypt_r algorithm was misused and was only comparing salts in some cases, rather than checking the actual content of the password. Fix Description: Stricter checks on dbpwd lengths to ensure that content passed to crypt_r has at least 2 salt bytes and 1 hash byte, as well as stricter checks on ct_memcmp to ensure that compared values are the same length, rather than potentially allowing overruns/short comparisons. Review by: @mreynolds389 |
William Brown <william@blackhats.net.au> | no | backport, commit:aeb90eb0c41fc48541d983f323c627b2e6c328c7 | 2021-07-09 | |
| CVE-2021-4091-double-free-of-virtual-attribute-ctx.patch | CVE-2021-4091 - double-free of the virtual attribute context in persistent search (#5219) - Issue 5218 description: A search is processed by a worker using a private pblock. If the search is persistent, the worker spawn a thread and kind of duplicate its private pblock so that the spawn thread continue to process the persistent search. Then worker ends the initial search, reinit (free) its private pblock, and returns monitoring the wait_queue. When the persistent search completes, it frees the duplicated pblock. The problem is that private pblock and duplicated pblock are referring to a same structure (pb_vattr_context). That can lead to a double free Fix: When cloning the pblock (slapi_pblock_clone) make sure to transfert the references inside the original (private) pblock to the target (cloned) one That includes pb_vattr_context pointer. Reviewed by: Mark Reynolds, James Chapman, Pierre Rogier (Thanks !) |
tbordaz <tbordaz@redhat.com> | no | upstream, commit:a3c298f8140d3e4fa1bd5a670f1bb965a21a9b7b | 2022-03-21 | |
| CVE-2022-0918-Craft-message-may-crash-the-server.patch | CVE-2022-0918 - Craft message may crash the server (#5243) - Issue 5242 Bug description: A craft request can result in DoS Fix description: If the server fails to decode the ber value then return an Error Reviewed by: Pierre Rogier, Mark Reynolds (thanks !) Platforms tested: F34 |
tbordaz <tbordaz@redhat.com> | no | upstream, commit:caad47ab207d7c5d61521ec4d33091db559c315a | 2022-03-30 | |
| CVE-2022-0996-User-with-expired-password-full-priv.patch | CVE-2022-0996 - User with expired password can still login with full privledges - Issue 5221 Bug Description: A user with an expired password can still login and perform operations with its typical access perimssions. But an expired password means the account should be considered anonymous. Fix Description: Clear the bind credentials if the password is expired Reviewed by: progier(Thanks!) |
Mark Reynolds <mreynolds@redhat.com> | no | upstream, commit:8b2c56123118ba02bb15e3091d2ae62d46df7ba5 | 2022-03-03 | |
| CVE-2022-2850-Sync_repl-may-crash-with-invalid-cookie.patch | CVE-2022-2850 - Sync_repl may crash while managing invalid cookie (#5420) - Issue 5418 Bug description: If the servers receives an invalid cookie without separator '#', it parses it into an empty cookie (Sync_Cookie) instead of a NULL cookie (failure). Later it sigsegv when using the empty cookie. Fix description: If the parsing fails return NULL Reviewed by: Viktor Ashirov, Mark Reynolds, William Brown, Simon Pichugin (thanks !) |
tbordaz <tbordaz@redhat.com> | no | backport, commit:513a763b551848e5532ec22bb0086464aa09252f | 2022-08-18 | |
| CVE-2024-8445.patch | Security fix for CVE-2024-8445 Description: The fix for CVE-2024-2199 in 389-ds-base was insufficient to cover all scenarios. In certain product versions, this issue may allow an authenticated user to cause a server crash while modifying `userPassword` using malformed input. References: - https://access.redhat.com/security/cve/CVE-2024-8445 - https://nvd.nist.gov/vuln/detail/cve-2024-8445 - https://bugzilla.redhat.com/show_bug.cgi?id=2310110 - https://nvd.nist.gov/vuln/detail/CVE-2024-2199 - https://access.redhat.com/security/cve/CVE-2024-2199 - https://bugzilla.redhat.com/show_bug.cgi?id=2267976 |
Pierre Rogier <progier@redhat.com> | no | upstream, commit:1d3fddaac336f84e87ba399388f85734d79ebb95 | 2024-09-23 |