Red Hat Local Security Checks : RedHat Update for 389-ds-base RHSA-2013:0503-03

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.870921

Category: Red Hat Local Security Checks

Title: RedHat Update for 389-ds-base RHSA-2013:0503-03

Summary: The remote host is missing an update for the '389-ds-base'; package(s) announced via the referenced advisory.

Description: Summary:
The remote host is missing an update for the '389-ds-base'
package(s) announced via the referenced advisory.

Vulnerability Insight:
The 389-ds-base packages provide 389 Directory Server, which is an LDAPv3
compliant server. The base packages include the Lightweight Directory
Access Protocol (LDAP) server and command-line utilities for server
administration.

A flaw was found in the way 389 Directory Server enforced ACLs after
performing an LDAP modify relative distinguished name (modrdn) operation.
After modrdn was used to move part of a tree, the ACLs defined on the moved
(Distinguished Name) were not properly enforced until the server was
restarted. This could allow LDAP users to access information that should be
restricted by the defined ACLs. (CVE-2012-4450)

This issue was discovered by Noriko Hosoi of Red Hat.

These updated 389-ds-base packages include numerous bug fixes and
enhancements. Space precludes documenting all of these changes in this
advisory. Users are directed to the Red Hat Enterprise Linux 6.4
Technical Notes, linked to in the References, for information on the most
significant of these changes.

All users of 389-ds-base are advised to upgrade to these updated packages,
which correct this issue and provide numerous bug fixes and enhancements.
After installing this update, the 389 server service will be restarted
automatically.

Affected Software/OS:
389-ds-base on Red Hat Enterprise Linux Server (v. 6),
Red Hat Enterprise Linux Workstation (v. 6)

Solution:
Please Install the Updated Packages.

CVSS Score:
6.0

CVSS Vector:
AV:N/AC:M/Au:S/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2012-4450
50713
http://secunia.com/advisories/50713
55690
http://www.securityfocus.com/bid/55690
RHSA-2013:0503
http://rhn.redhat.com/errata/RHSA-2013-0503.html
[oss-security] 20120926 CVE Request -- 389-ds-base: Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in ACL (ACL rules bypass possible)
http://www.openwall.com/lists/oss-security/2012/09/26/3
[oss-security] 20120926 Re: CVE Request -- 389-ds-base: Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in ACL (ACL rules bypass possible)
http://www.openwall.com/lists/oss-security/2012/09/26/5
http://git.fedorahosted.org/cgit/389/ds.git/commit/?id=5beb93d42efb807838c09c5fab898876876f8d09
https://bugzilla.redhat.com/show_bug.cgi?id=860772
https://fedorahosted.org/389/ticket/340

Copyright Copyright (C) 2013 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.870921
Category:	Red Hat Local Security Checks
Title:	RedHat Update for 389-ds-base RHSA-2013:0503-03
Summary:	The remote host is missing an update for the '389-ds-base'; package(s) announced via the referenced advisory.
Description:	Summary: The remote host is missing an update for the '389-ds-base' package(s) announced via the referenced advisory. Vulnerability Insight: The 389-ds-base packages provide 389 Directory Server, which is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. A flaw was found in the way 389 Directory Server enforced ACLs after performing an LDAP modify relative distinguished name (modrdn) operation. After modrdn was used to move part of a tree, the ACLs defined on the moved (Distinguished Name) were not properly enforced until the server was restarted. This could allow LDAP users to access information that should be restricted by the defined ACLs. (CVE-2012-4450) This issue was discovered by Noriko Hosoi of Red Hat. These updated 389-ds-base packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes. All users of 389-ds-base are advised to upgrade to these updated packages, which correct this issue and provide numerous bug fixes and enhancements. After installing this update, the 389 server service will be restarted automatically. Affected Software/OS: 389-ds-base on Red Hat Enterprise Linux Server (v. 6), Red Hat Enterprise Linux Workstation (v. 6) Solution: Please Install the Updated Packages. CVSS Score: 6.0 CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2012-4450 50713 http://secunia.com/advisories/50713 55690 http://www.securityfocus.com/bid/55690 RHSA-2013:0503 http://rhn.redhat.com/errata/RHSA-2013-0503.html [oss-security] 20120926 CVE Request -- 389-ds-base: Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in ACL (ACL rules bypass possible) http://www.openwall.com/lists/oss-security/2012/09/26/3 [oss-security] 20120926 Re: CVE Request -- 389-ds-base: Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in ACL (ACL rules bypass possible) http://www.openwall.com/lists/oss-security/2012/09/26/5 http://git.fedorahosted.org/cgit/389/ds.git/commit/?id=5beb93d42efb807838c09c5fab898876876f8d09 https://bugzilla.redhat.com/show_bug.cgi?id=860772 https://fedorahosted.org/389/ticket/340
Copyright	Copyright (C) 2013 Greenbone AG