Rapid7 Vulnerability & Exploit Database

RHSA-2015:0628: 389-ds-base security, bug fix, and enhancement update

Back to Search

RHSA-2015:0628: 389-ds-base security, bug fix, and enhancement update

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
03/05/2015
Created
07/25/2018
Added
03/09/2015
Modified
07/04/2017

Description

The 389 Directory Server is an LDAPv3 compliant server. The base packagesinclude the Lightweight Directory Access Protocol (LDAP) server andcommand-line utilities for server administration.An information disclosure flaw was found in the way the 389 DirectoryServer stored information in the Changelog that is exposed via the'cn=changelog' LDAP sub-tree. An unauthenticated user could in certaincases use this flaw to read data from the Changelog, which could includesensitive information such as plain-text passwords. (CVE-2014-8105)This issue was discovered by Petr Špaček of the Red Hat Identity ManagementEngineering Team.This update also fixes the following bugs:In addition, this update adds the following enhancement:All 389-ds-base users are advised to upgrade to these updated packages,which contain backported patches to correct these issues and add thisenhancement. After installing this update, the 389 server service will berestarted automatically.

Solution(s)

  • redhat-upgrade-389-ds-base
  • redhat-upgrade-389-ds-base-debuginfo
  • redhat-upgrade-389-ds-base-devel
  • redhat-upgrade-389-ds-base-libs

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;