Red Hat Local Security Checks : RedHat Update for 389-ds-base RHSA-2016:2594-02

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.871686

Category: Red Hat Local Security Checks

Title: RedHat Update for 389-ds-base RHSA-2016:2594-02

Summary: The remote host is missing an update for the '389-ds-base'; package(s) announced via the referenced advisory.

Description: Summary:
The remote host is missing an update for the '389-ds-base'
package(s) announced via the referenced advisory.

Vulnerability Insight:
389 Directory Server is an LDAP version 3
(LDAPv3) compliant server. The base packages include the Lightweight Directory
Access Protocol (LDAP) server and command-line utilities for server administration.

The following packages have been upgraded to a newer upstream version:
389-ds-base (1.3.5.10). (BZ#1270020)

Security Fix(es):

* It was found that 389 Directory Server was vulnerable to a flaw in which
the default ACI (Access Control Instructions) could be read by an anonymous
user. This could lead to leakage of sensitive information. (CVE-2016-5416)

* An information disclosure flaw was found in 389 Directory Server. A user
with no access to objects in certain LDAP sub-tree could send LDAP ADD
operations with a specific object name. The error message returned to the
user was different based on whether the target object existed or not.
(CVE-2016-4992)

* It was found that 389 Directory Server was vulnerable to a remote
password disclosure via timing attack. A remote attacker could possibly use
this flaw to retrieve directory server password after many tries.
(CVE-2016-5405)

The CVE-2016-5416 issue was discovered by Viktor Ashirov (Red Hat) the
CVE-2016-4992 issue was discovered by Petr Spacek (Red Hat) and Martin
Basti (Red Hat) and the CVE-2016-5405 issue was discovered by William
Brown (Red Hat).

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section.

Affected Software/OS:
389-ds-base on Red Hat Enterprise Linux Server (v. 7)

Solution:
Please Install the Updated Packages.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2016-4992
RHSA-2016:2594
http://rhn.redhat.com/errata/RHSA-2016-2594.html
RHSA-2016:2765
http://rhn.redhat.com/errata/RHSA-2016-2765.html
https://bugzilla.redhat.com/show_bug.cgi?id=1347760
https://github.com/389ds/389-ds-base/commit/0b932d4b926d46ac5060f02617330dc444e06da1
Common Vulnerability Exposure (CVE) ID: CVE-2016-5405
93884
http://www.securityfocus.com/bid/93884
https://bugzilla.redhat.com/show_bug.cgi?id=1358865
Common Vulnerability Exposure (CVE) ID: CVE-2016-5416
99097
http://www.securityfocus.com/bid/99097
https://bugzilla.redhat.com/show_bug.cgi?id=1349540

Copyright Copyright (C) 2016 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.871686
Category:	Red Hat Local Security Checks
Title:	RedHat Update for 389-ds-base RHSA-2016:2594-02
Summary:	The remote host is missing an update for the '389-ds-base'; package(s) announced via the referenced advisory.
Description:	Summary: The remote host is missing an update for the '389-ds-base' package(s) announced via the referenced advisory. Vulnerability Insight: 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. The following packages have been upgraded to a newer upstream version: 389-ds-base (1.3.5.10). (BZ#1270020) Security Fix(es): * It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI (Access Control Instructions) could be read by an anonymous user. This could lead to leakage of sensitive information. (CVE-2016-5416) * An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not. (CVE-2016-4992) * It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries. (CVE-2016-5405) The CVE-2016-5416 issue was discovered by Viktor Ashirov (Red Hat) the CVE-2016-4992 issue was discovered by Petr Spacek (Red Hat) and Martin Basti (Red Hat) and the CVE-2016-5405 issue was discovered by William Brown (Red Hat). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Affected Software/OS: 389-ds-base on Red Hat Enterprise Linux Server (v. 7) Solution: Please Install the Updated Packages. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2016-4992 RHSA-2016:2594 http://rhn.redhat.com/errata/RHSA-2016-2594.html RHSA-2016:2765 http://rhn.redhat.com/errata/RHSA-2016-2765.html https://bugzilla.redhat.com/show_bug.cgi?id=1347760 https://github.com/389ds/389-ds-base/commit/0b932d4b926d46ac5060f02617330dc444e06da1 Common Vulnerability Exposure (CVE) ID: CVE-2016-5405 93884 http://www.securityfocus.com/bid/93884 https://bugzilla.redhat.com/show_bug.cgi?id=1358865 Common Vulnerability Exposure (CVE) ID: CVE-2016-5416 99097 http://www.securityfocus.com/bid/99097 https://bugzilla.redhat.com/show_bug.cgi?id=1349540
Copyright	Copyright (C) 2016 Greenbone AG