[SECURITY] Fedora 18 Update: 389-ds-base-1.3.0.8-1.fc18

updates at fedoraproject.org updates at fedoraproject.org
Fri Aug 30 22:56:20 UTC 2013 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-15518
2013-08-29 21:14:29
--------------------------------------------------------------------------------

Name        : 389-ds-base
Product     : Fedora 18
Version     : 1.3.0.8
Release     : 1.fc18
URL         : http://port389.org/
Summary     : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server.  The base package includes
the LDAP server and command line utilities for server administration.

--------------------------------------------------------------------------------
Update Information:

In this version, a security bug -- modifying an entry specified by an invalid DN crashed the server -- was fixed.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Aug 28 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.0.8-1
- bump version to 1.3.0.8
- Bug 1002215 - CVE-2013-4283 389-ds-base: ns-slapd crash due to bogus DN
* Wed Jul 31 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.0.7-1
- bump version to 1.3.0.7
- fix coverity 11895 - null deref - caused by fix to ticket 47392
- fix compiler warning in posix winsync code for posix_group_del_memberuid_callback (cherry picked from commit f440e039a5f2a7b2ea0dd087d8e91c554abc1be0)
- Fix compiler warnings for Ticket 47395 and 47397
- fix compiler warning (cherry picked from commit 904416f4631d842a105851b4a9931ae17822a107) (cherry picked from commit 3a5f8de21fba3656670b8ee35e020f159d4110db)
- Ticket 543 - Sorting with attributes in ldapsearch gives incorrect result
- Ticket 47405 - CVE-2013-2219 ACLs inoperative in some search scenarios
- Ticket 47449 - deadlock after adding and deleting entries
- Ticket 47421 - memory leaks in set_krb5_creds
- Ticket 47441 - Disk Monitoring not checking filesystem with logs
- Ticket 47435 - Very large entryusn values after enabling the USN plugin and the lastusn value is negative.
- Ticket 47424 - Replication problem with add-delete requests on single-valued attributes
- Ticket 47367 - (phase 2) ldapdelete returns non-leaf entry error while trying to remove a leaf entry
- Ticket 47367 - (phase 1) ldapdelete returns non-leaf entry error while trying to remove a leaf entry
- Ticket 47399 - RHDS denies MODRDN access if ACI list contains any DENY rule
- Ticket 47427 - Overflow in nsslapd-disk-monitoring-threshold
- Ticket 47428 - Memory leak in 389-ds-base 1.2.11.15
- Ticket 47392 - ldbm errors when adding/modifying/deleting entries
- Ticket 47385 - Disk Monitoring is not triggered as expected.
- Ticket 47410 - changelog db deadlocks with DNA and replication
- Ticket 47419 - Unhashed userpassword can accidentally get removed from mods
- Ticket 47409 - allow setting db deadlock rejection policy
- Ticket 47393 - Attribute are not encrypted on a consumer after a full initialization
- Ticket 47395 47397 v2 correct behaviour of account policy if only stateattr is configured or no alternate attr is configured
- Ticket 47396 - crash on modrdn of tombstone
- Ticket 47402 - Attribute names are incorrect in search results
- Ticket 47400 - MMR stress test with dna enabled causes a deadlock
- Ticket 47391 - deleting and adding userpassword fails to update the password (additional fix)
- Ticket 47391 - deleting and adding userpassword fails to update the password
- Coverity Fixes (Part 7)
- Ticket 47376 - DESC should not be empty as per RFC 2252 (ldapv3)
- Ticket 47375 - flush_ber error sending back start_tls response will deadlock
- Ticket 47377 - make listen backlog size configurable
- Ticket 47383 - connections attribute in cn=snmp,cn=monitor is counted twice
- Ticket 47385 - DS not shutting down when disk monitoring threshold is reached
- Ticket 47378 - fix recent compiler warnings
- Coverity Fixes (Part 5)
- Coverity Fixes (Part 4)
- Coverity Fixes (Part 3)
- Coverity Fixes (Part 2)
- Coverity Fixes (part 1)
- Ticket 580 - Wrong error code return when using EXTERNAL SASL and no client certificate
- Ticket 47349 - DS instance crashes under a high load
- Ticket 47359 - new ldap connections can block ldaps and ldapi connections
- Ticket 47327 - error syncing group if group member user is not synced
- Ticket 47362 - ipa upgrade selinuxusermap data not replicating
- Revert "Ticket 47355 - dse.ldif doesn't replicate update to nsslapd-sasl-mapping-fallback"
- Revert "Ticket 511 - Revision - allow turning off vattr lookup in search entry return"
- Ticket 511 - Revision - allow turning off vattr lookup in search entry return
- Ticket 47355 - dse.ldif doesn't replicate update to nsslapd-sasl-mapping-fallback
- Ticket 47347 - Simple paged results should support async search
* Wed Apr 10 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.0.6-1
- bump version to 1.3.0.6
- Ticket 623 - cleanAllRUV task fails to cleanup config upon completion
- Coverity fix   13139 - Dereference after NULL check in slapi_attr_value_normalize_ext()
- Ticket 47318 - server fails to start after upgrade(schema error)
* Thu Mar 28 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.0.5-1
- bump version to 1.3.0.5
- Ticket 47308 - unintended information exposure when anonymous access is set to rootdse
- Ticket 628 - crash in aci evaluation
- Ticket 627 - ns-slapd crashes sporadically with segmentation fault in libslapd.so
- Ticket 634 - Deadlock in DNA plug-in Ticket #576 - DNA: use event queue for config update only at the start up
- Ticket 632 - 389-ds-base cannot handle Kerberos tickets with PAC
- Ticket 623 - cleanAllRUV task fails to cleanup config upon completion
* Mon Mar 11 2013 Mark Reynolds <mreynolds at redhat.com> - 1.3.0.4-1
e53d691 bump version to 1.3.0.4
Bug 912964 - CVE-2013-0312 389-ds: unauthenticated denial of service vulnerability in handling of LDAPv3 control data
Ticket 570 - DS returns error 20 when replacing values of a multi-valued attribute (only when replication is enabled)
Ticket 490 - Slow role performance when using a lot of roles
Ticket 590 - ns-slapd segfaults while trying to delete a tombstone entry
* Wed Feb 13 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.0.3-1
- bump version to 1.3.0.3
- Ticket #584 - Existence of an entry is not checked when its password is to be deleted
- Ticket 562 - Crash when deleting suffix
* Wed Jan 16 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.0.2-1
- bump version to 1.3.0.2
- Ticket #542 - Cannot dynamically set nsslapd-maxbersize
* Wed Jan 16 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.0.1-1
- bump version to 1.3.0.1
- Ticket 556 - Don't overwrite certmap.conf during upgrade
* Tue Jan  8 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.0.0-1
- bump version to 1.3.0.0
* Tue Jan  8 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.0-0.3.rc3
- bump version to 1.3.0.rc3
- Ticket 549 - DNA plugin no longer reports additional info when range is depleted
- Ticket 541 - need to set plugin as off in ldif template
- Ticket 541 - RootDN Access Control plugin is missing after upgrade
* Fri Dec 14 2012 Noriko Hosoi <nhosoi at redhat.com> - 1.3.0-0.2.rc2
- bump version to 1.3.0.rc2
- Trac Ticket #497 - Escaped character cannot be used in the substring search filter
- Ticket 509 - lock-free access to be->be_suffixlock
- Trac Ticket #522 - betxn: upgrade is not implemented yet
* Tue Dec 11 2012 Noriko Hosoi <nhosoi at redhat.com> - 1.3.0-0.1.rc1
- bump version to 1.3.0.rc1
- Ticket #322 - Create DOAP description for the 389 Directory Server project
- Trac Ticket #499 - Handling URP results is not corrrect
- Ticket 509 - lock-free access to be->be_suffixlock
- Ticket 456 - improve entry cache sizing
- Trac Ticket #531 - loading an entry from the database should use str2entry_f
- Trac Ticket #536 - Clean up compiler warnings for 1.3
- Trac Ticket #531 - loading an entry from the database should use str2entry_fast
- Ticket 509 - lock-free access to be->be_suffixlock
- Ticket 527 - ns-slapd segfaults if it cannot rename the logs
- Ticket 395 - RFE: 389-ds shouldn't advertise in the rootDSE that we can handle a sasl mech if we really can't
- Ticket 216 - disable replication agreements
- Ticket 518 - dse.ldif is 0 length after server kill or machine kill
- Ticket 393 - Change in winSyncInterval does not take immediate effect
- Ticket 20 - Allow automember to work on entries that have already been added
- Coverity Fixes
- Ticket 349 - nsViewFilter syntax issue in 389DS 1.2.5
- Ticket 337 - improve CLEANRUV functionality
- Fix for ticket 504
- Ticket 394 - modify-delete userpassword
- minor fixes for bdb 4.2/4.3 and mozldap
- Trac Ticket #276 - Multiple threads simultaneously working on connection's private buffer causes ns-slapd to abort
- Fix for ticket 465: cn=monitor showing stats for other db instances
- Ticket 507 - use mutex for FrontendConfig lock instead of rwlock
- Fix for ticket 510 Avoid creating an attribute just to determine the syntax for a type, look up the syntax directly by type
- Coverity defect: Resource leak 13110
- Ticket 517 - crash in DNA if no dnaMagicRegen is specified
- Trac Ticket #520 - RedHat Directory Server crashes (segfaults) when moving ldap entry
- Trac Ticket #519 - Search with a complex filter including range search is slow
- Trac Ticket #500 - Newly created users with organizationalPerson objectClass fails to sync from AD to DS with missing attribute error
- Trac Ticket #311 - IP lookup failing with multiple DNS entries
- Trac Ticket #447 - Possible to add invalid attribute to nsslapd-allowed-to-delete-attrs
- Trac Ticket #443 - Deleting attribute present in nsslapd-allowed-to-delete-attrs returns Operations error
- Ticket #503 - Improve AD version in winsync log message
- Trac Ticket #190 - Un-resolvable server in replication agreement produces unclear error message
- Coverity fixes
- Trac Ticket #391 - Slapd crashes when deleting backends while operations are still in progress
- Trac Ticket #448 - Possible to set invalid macros in Macro ACIs
- Trac Ticket #498 - Cannot abaondon simple paged result search
- Coverity defects
- Trac Ticket #494 - slapd entered to infinite loop during new index addition
- Fixing compiler warnings in the posix-winsync plugin
- Coverity defects
- Ticket 147 - Internal Password Policy usage very inefficient
- Ticket 495 - internalModifiersname not updated by DNA plugin
- Revert "Ticket 495 - internalModifiersname not updated by DNA plugin"
- Ticket 495 - internalModifiersname not updated by DNA plugin
- Ticket 468 - if pam_passthru is enabled, need to AC_CHECK_HEADERS([security/pam_appl.h])
- Ticket 486 - nsslapd-enablePlugin should not be multivalued
- Ticket 488 - Doc: DS error log messages with typo
- Trac Ticket #451 - Allow db2ldif to be quiet
- Ticket #491 - multimaster_extop_cleanruv returns wrong error codes
- Ticket #481 - expand nested posix groups
- Trac Ticket #455 - Insufficient rights to unhashed#user#password when user deletes his password
- Ticket #446 - anonymous limits are being applied to directory manager
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #999634 - CVE-2013-4283 389-ds-base: ns-slapd crash due to bogus DN
        https://bugzilla.redhat.com/show_bug.cgi?id=999634
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update 389-ds-base' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list