Oracle Linux 6 : 389-ds-base (ELSA-2013-0503)

high Nessus Plugin ID 68743

Synopsis

The remote Oracle Linux host is missing a security update.

Description

The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2013-0503 advisory.

[1.2.11.15-11]
- Resolves: Bug 896256 - updating package touches configuration files

[1.2.11.15-10]
- Resolves: Bug 889083 - For modifiersName/internalModifiersName feature, internalModifiersname is not working for DNA plugin

[1.2.11.15-9]
- Resolves: Bug 891930 - DNA plugin no longer reports additional info when range is depleted

[1.2.11.15-8]
- Resolves: Bug 887855 - RootDN Access Control plugin is missing after upgrade from RHEL63 to RHEL64

[1.2.11.15-7]
- Resolves: Bug 830355 - [RFE] improve cleanruv functionality
- Resolves: Bug 876650 - Coverity revealed defects
- Ticket #20 - [RFE] Allow automember to work on entries that have already been added (Bug 768084)
- Resolves: Bug 834074 - [RFE] Disable replication agreements
- Resolves: Bug 878111 - ns-slapd segfaults if it cannot rename the logs

[1.2.11.15-6]
- Resolves: Bug 880305 - spec file missing dependencies for x86_64 6ComputeNode
- use perl-Socket6 on RHEL6

[1.2.11.15-5]
- Resolves: Bug 880305 - spec file missing dependencies for x86_64 6ComputeNode

[1.2.11.15-4]
- Resolves: Bug 868841 - Newly created users with organizationalPerson objectClass fails to sync from AD to DS with missing attribute error
- Resolves: Bug 868853 - Winsync: DS error logs report wrong version of Windows AD when winsync is configured.
- Resolves: Bug 875862 - crash in DNA if no dnamagicregen is specified
- Resolves: Bug 876694 - RedHat Directory Server crashes (segfaults) when moving ldap entry
- Resolves: Bug 876727 - Search with a complex filter including range search is slow
- Ticket #495 - internalModifiersname not updated by DNA plugin (Bug 834053)

[1.2.11.15-3]
- Resolves: Bug 870158 - slapd entered to infinite loop during new index addition
- Resolves: Bug 870162 - Cannot abandon simple paged result search
- c970af0 Coverity defects
- 1ac087a Fixing compiler warnings in the posix-winsync plugin
- 2f960e4 Coverity defects
- Ticket #491 - multimaster_extop_cleanruv returns wrong error codes

[1.2.11.15-2]
- Resolves: Bug 834063 [RFE] enable attribute that tracks when a password was last set on an entry in the LDAP store; Ticket #478 passwordTrackUpdateTime stops working with subtree password policies
- Resolves: Bug 847868 [RFE] support posix schema for user and group sync; Ticket #481 expand nested posix groups
- Resolves: Bug 860772 Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl
- Resolves: Bug 863576 Dirsrv deadlock locking up IPA
- Resolves: Bug 864594 anonymous limits are being applied to directory manager

[1.2.11.15-1]
- Resolves: Bug 856657 dirsrv init script returns 0 even when few or all instances fail to start
- Resolves: Bug 858580 389 prevents from adding a posixaccount with userpassword after schema reload

[1.2.11.14-1]
- Resolves: Bug 852202 Ipa master system initiated more than a dozen simultaneous replication sessions, shut itself down and wiped out its db
- Resolves: Bug 855438 CLEANALLRUV task gets stuck on winsync replication agreement

[1.2.11.13-1]
- Resolves: Bug 847868 [RFE] support posix schema for user and group sync
- fix upgrade issue with plugin config schema
- posix winsync has default plugin precedence of 25

[1.2.11.12-1]
- Resolves: Bug 800051 Rebase 389-ds-base to 1.2.11
- Resolves: Bug 742054 SASL/PLAIN binds do not work
- Resolves: Bug 742381 MOD operations with chained delete/add get back error 53 on backend config
- Resolves: Bug 746642 [RFE] define pam_passthru service per subtree
- Resolves: Bug 757836 logconv.pl restarts count on conn=0 instead of conn=1
- Resolves: Bug 768084 [RFE] Allow automember to work on entries that have already been added
- Resolves: Bug 782975 krbExtraData is being null modified and replicated on each ssh login
- Resolves: Bug 803873 Sync with group attribute containing () fails
- Resolves: Bug 818762 winsync should not delete entry that appears to be out of scope
- Resolves: Bug 830001 unhashed#user#password visible after changing password [rhel-6.4]
- Resolves: Bug 830256 Audit log - clear text password in user changes
- Resolves: Bug 830331 ns-slapd exits/crashes if /var fills up
- Resolves: Bug 830334 Invalid chaining config triggers a disk full error and shutdown
- Resolves: Bug 830335 restore of replica ldif file on second master after deleting two records shows only 1 deletion
- Resolves: Bug 830336 db deadlock return should not log error
- Resolves: Bug 830337 usn + mmr = deletions are not replicated
- Resolves: Bug 830338 Change DS to purge ticket from krb cache in case of authentication error
- Resolves: Bug 830340 Make the CLEANALLRUV task one step
- Resolves: Bug 830343 managed entry sometimes doesn't delete the managed entry
- Resolves: Bug 830344 [RFE] Improve replication agreement status messages
- Resolves: Bug 830346 ADD operations not in audit log
- Resolves: Bug 830347 389 DS does not support multiple paging controls on a single connection
- Resolves: Bug 830348 Slow shutdown when you have 100+ replication agreements
- Resolves: Bug 830349 cannot use & in a sasl map search filter
- Resolves: Bug 830353 valgrind reported memleaks and mem errors
- Resolves: Bug 830355 [RFE] improve cleanruv functionality
- Resolves: Bug 830356 coverity 12625-12629 - leaks, dead code, unchecked return
- Resolves: Bug 832560 [abrt] 389-ds-base-1.2.10.6-1.fc16: slapi_attr_value_cmp: Process /usr/sbin/ns- slapd was killed by signal 11 (SIGSEGV)
- Resolves: Bug 833202 transaction retries need to be cache aware
- Resolves: Bug 833218 ldapmodify returns Operations error
- Resolves: Bug 833222 memberOf attribute and plugin behaviour between sub-suffixes
- Resolves: Bug 834046 [RFE] Add nsTLS1 attribute to schema and objectclass nsEncryptionConfig
- Resolves: Bug 834047 Fine Grained Password policy: if passwordHistory is on, deleting the password fails.
- Resolves: Bug 834049 [RFE] Add schema for DNA plugin
- Resolves: Bug 834052 [RFE] limiting Directory Manager (nsslapd-rootdn) bind access by source host (e.g.
127.0.0.1)
- Resolves: Bug 834053 [RFE] Plugins - ability to control behavior of modifyTimestamp/modifiersName
- Resolves: Bug 834054 Should only update modifyTimestamp/modifiersName on MODIFY ops
- Resolves: Bug 834056 Automembership plugin fails in a MMR setup, if data and config area mixed in the plugin configuration
- Resolves: Bug 834057 ldap-agent crashes on start with signal SIGSEGV
- Resolves: Bug 834058 [RFE] logconv.pl : use of getopts to parse commandline options
- Resolves: Bug 834060 passwordMaxFailure should lockout password one sooner - and should be configurable to avoid regressions
- Resolves: Bug 834061 [RFE] RHDS: Implement SO_KEEPALIVE in network calls.
- Resolves: Bug 834063 [RFE] enable attribute that tracks when a password was last set on an entry in the LDAP store
- Resolves: Bug 834064 dnaNextValue gets incremented even if the user addition fails
- Resolves: Bug 834065 Adding Replication agreement should complain if required nsds5ReplicaCredentials not supplied
- Resolves: Bug 834074 [RFE] Disable replication agreements
- Resolves: Bug 834075 logconv.pl reporting unindexed search with different search base than shown in access logs
- Resolves: Bug 835238 Account Usability Control Not Working
- Resolves: Bug 836386 slapi_ldap_bind() doesn't check bind results
- Resolves: Bug 838706 referint modrdn not working if case is different
- Resolves: Bug 840153 Impossible to rename entry (modrdn) with Attribute Uniqueness plugin enabled
- Resolves: Bug 841600 Referential integrity plug-in does not work when update interval is not zero
- Resolves: Bug 842437 dna memleak reported by valgrind
- Resolves: Bug 842438 Report during startup if nsslapd-cachememsize is too small
- Resolves: Bug 842440 memberof performance enhancement
- Resolves: Bug 842441 'Server is unwilling to perform' when running ldapmodify on nsds5ReplicaStripAttrs
- Resolves: Bug 847868 [RFE] support posix schema for user and group sync
- Resolves: Bug 850683 nsds5ReplicaEnabled can be set with any invalid values.
- Resolves: Bug 852087 [RFE] add attribute nsslapd-readonly so we can reference it in acis
- Resolves: Bug 852088 server to server ssl client auth broken with latest openldap
- Resolves: Bug 852839 variable dn should not be used in ldbm_back_delete

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected 389-ds-base, 389-ds-base-devel and / or 389-ds-base-libs packages.

See Also

https://linux.oracle.com/errata/ELSA-2013-0503.html

Plugin Details

Severity: High

ID: 68743

File Name: oraclelinux_ELSA-2013-0503.nasl

Version: 1.8

Type: local

Agent: unix

Published: 7/12/2013

Updated: 10/22/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2012-4450

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:389-ds-base-devel, p-cpe:/a:oracle:linux:389-ds-base, cpe:/o:oracle:linux:6, p-cpe:/a:oracle:linux:389-ds-base-libs

Required KB Items: Host/local_checks_enabled, Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 2/25/2013

Vulnerability Publication Date: 9/30/2012

Reference Information

CVE: CVE-2012-4450

BID: 55690

RHSA: 2013:0503