[SECURITY] Fedora 17 Update: 389-ds-base-1.2.11.21-1.fc17

updates at fedoraproject.org updates at fedoraproject.org
Thu Jun 13 06:11:57 UTC 2013


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-5349
2013-04-11 09:33:53
--------------------------------------------------------------------------------

Name        : 389-ds-base
Product     : Fedora 17
Version     : 1.2.11.21
Release     : 1.fc17
URL         : http://port389.org/
Summary     : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server.  The base package includes
the LDAP server and command line utilities for server administration.

--------------------------------------------------------------------------------
Update Information:

Here is where you give an explanation of your update.
This release fixes 7 critical bugs including one security bug.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr  9 2013 Mark Reynolds <mreynolds at redhat.com> - 1.2.11.21-1
9a7ba7d bump verison to 1.2.11.21
Ticket 47318 - server fails to start after upgrade(schema error)
* Thu Mar 28 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.2.11.20-1
Ticket 623 - cleanAllRUV task fails to cleanup config upon completion
Ticket #47308 - unintended information exposure when anonymous access is set to rootdse
Ticket 628 - crash in aci evaluation
Ticket #627 - ns-slapd crashes sporadically with segmentation fault in libslapd.so
Ticket #634 - Deadlock in DNA plug-in
f6a6514 Coverity issue 13091
Ticket 632 - 389-ds-base cannot handle Kerberos tickets with PAC
Ticket 623 - cleanAllRUV task fails to cleanup config upon completion
* Mon Mar 11 2013 Mark Reynolds <mreynolds at redhat.com> - 1.2.11.19-1
c535f7d bump version to 1.2.11.19
Bug 912964 - CVE-2013-0312 389-ds: unauthenticated denial of service vulnerability in handling of LDAPv3 control data
Ticket 590 - ns-slapd segfaults while trying to delete a tombstone entry
Ticket 518 - dse.ldif is 0 length after server kill or machine kill
Ticket #579 - Error messages encountered when using POSIX winsync
Ticket #576 - DNA: use event queue for config update only at the start up
Ticket 367 - Invalid chaining config triggers a disk full error and shutdown
Ticket 570 - DS returns error 20 when replacing values of a multi-valued attribute  (only when replication is enabled)
Bug 906005 - Valgrind reports memleak in modify_update_last_modified_attr
Ticket #572 - PamConfig schema not updated during upgrade
* Thu Jan 24 2013 Mark Reynolds <mreynolds at redhat.com> - 1.2.11.18-1
12420d9 bump version to 1.2.11.18
Ticket 556 - Don't overwrite certmap.conf during upgrade
Ticket 495 - 1.2.11 - plugin dn is missing from pblock
Ticket 549 - DNA plugin no longer reports additional info when range is depleted
Ticket 541 - need to set plugin as off in ldif template
Ticket 541 - RootDN Access Control plugin is missing after upgrade
Ticket 527 - ns-slapd segfaults if it cannot rename the logs
39b0938 Coverity Issues for 1.2.11
Ticket 216 - disable replication agreements
Ticket 20 - Allow automember to work on entries that have already been added
7d22bc2 Coverity Fixes
Ticket 337 - improve CLEANRUV functionality
Ticket 495 - internalModifiersname not updated by DNA plugin
Ticket 517 - crash in DNA if no dnaMagicRegen is specified
Trac Ticket #520 - RedHat Directory Server crashes (segfaults) when moving ldap entry
Trac Ticket #519 - Search with a complex filter including range search is slow
Trac Ticket #500 - Newly created users with organizationalPerson objectClass fails to sync from AD to DS with missing attribute error
Ticket #503 - Improve AD version in winsync log message
Trac Ticket #498 - Cannot abaondon simple paged result search
55997a6 Coverity defects
Trac Ticket #494 - slapd entered to infinite loop during new index addition
56ebbb2 Fixing compiler warnings in the posix-winsync plugin
a57d913 Coverity defects
Ticket 468 - if pam_passthru is enabled, need to AC_CHECK_HEADERS([security/pam_appl.h])
Ticket 486 - nsslapd-enablePlugin should not be multivalued
Ticket 488 - Doc: DS error log messages with typo
Ticket #491 - multimaster_extop_cleanruv returns wrong error codes
* Mon Dec 10 2012 Mark Reynolds <mreynolds at redhat.com> - 1.2.11.17-1
- 94d5ea3 bump verison to 1.2.11.17
- Ticket 527 - ns-slapd segfaults if it cannot rename the logs
- 39b0938 Coverity Issues for 1.2.11
- Ticket 216 - disable replication agreements
- Ticket 20 - Allow automember to work on entries that have already been added
- 7d22bc2 Coverity Fixes
- Ticket 337 - improve CLEANRUV functionality
- Ticket 495 - internalModifiersname not updated by DNA plugin
- Ticket 517 - crash in DNA if no dnaMagicRegen is specified
- Trac Ticket #520 - RedHat Directory Server crashes (segfaults) when moving ldap entry
- Trac Ticket #519 - Search with a complex filter including range search is slow
- Trac Ticket #500 - Newly created users with organizationalPerson objectClass fails to sync from AD to DS with missing attribute error
- Ticket #503 - Improve AD version in winsync log message
- Trac Ticket #498 - Cannot abaondon simple paged result search
- 55997a6 Coverity defects
- Trac Ticket #494 - slapd entered to infinite loop during new index addition
- 56ebbb2 Fixing compiler warnings in the posix-winsync plugin
- a57d913 Coverity defects
- Ticket 468 - if pam_passthru is enabled, need to AC_CHECK_HEADERS([security/pam_appl.h])
- Ticket 486 - nsslapd-enablePlugin should not be multivalued
- Ticket 488 - Doc: DS error log messages with typo
- Ticket #491 - multimaster_extop_cleanruv returns wrong error codes
* Wed Oct 10 2012 Noriko Hosoi <nhosoi at redhat.com> - 1.2.11.16-1
- Ticket 340 - Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl
- Ticket 446 - anonymous limits are being applied to directory manager
- Ticket 478 - passwordTrackUpdateTime stops working with subtree password policies
- Ticket 481 - expand nested posix groups
- Ticket 485 - Dirsrv deadlock locking up IPA
* Tue Sep 25 2012 Rich Megginson <rmeggins at redhat.com> - 1.2.11.15-1
- Ticket 470 - 389 prevents from adding a posixaccount with userpassword after schema reload
- Ticket 477 - CLEANALLRUV if there are only winsync agmts task will hang
- Ticket 457 - dirsrv init script returns 0 even when few or all instances fail to start
- Ticket 473 - change VERSION.sh to have console version be major.minor
- Ticket 475 - Root DN Access Control - improve value checking for config
- Trac Ticket #466 - entry_apply_mod - ADD: Failed to set unhashed#user#password to extension
- Ticket 474 - Root DN Access Control - days allowed not working correctly
- Ticket 467 - CLEANALLRUV abort task should be able to ignore down replicas
- 0b79915 fix compiler warnings in ticket 374 code
- Ticket 452 - automember rebuild task adds users to groups that do not match the configuration scope
* Fri Sep  7 2012 Rich Megginson <rmeggins at redhat.com> - 1.2.11.14-1
- Ticket 450 - CLEANALLRUV task gets stuck on winsync replication agreement
- Ticket 386 - large memory growth with ldapmodify(heap fragmentation)
-  this patch doesn't fix the bug - it allows us to experiment with
-  different values of mxfast
- Ticket #374 - consumer can go into total update mode for no reason
* Tue Sep  4 2012 Rich Megginson <rmeggins at redhat.com> - 1.2.11.13-1
- Ticket #426 - support posix schema for user and group sync
-   1) plugin config ldif must contain pluginid, etc. during upgrade or it
-      will fail due to schema errors
-   2) posix winsync should have a lower precedence (25) than the default (50)
-      so that it will be run first
-   3) posix winsync should support the Winsync API v3 - the v2 functions are
-      just stubs for now - but the precedence cb is active
* Thu Aug 30 2012 Rich Megginson <rmeggins at redhat.com> - 1.2.11.12-1
- 8e5087a Coverity defects - 13089: Dereference after null check ldbm_back_delete
- Trac Ticket #437 - variable dn should not be used in ldbm_back_delete
- ba1f5b2 fix coverity resource leak in windows_plugin_add
- e3e81db Simplify program flow: change while loops to for
- a0d5dc0 Fix logic errors: del_mod should be latched (might not be last mod), and avoid skipping add-mods (int value 0)
- 0808f7e Simplify program flow: make adduids/moduids/deluids action blocks all similar
- 77eb760 Simplify program flow: eliminate unnecessary continue
- c9e9db7 Memory leaks: unmatched slapi_attr_get_valueset and slapi_value_new
- a4ca0cc Change "return"s in modGroupMembership to "break"s to avoid leaking
- d49035c Factorize into new isPosixGroup function
- 3b61c03 coverity - posix winsync mem leaks, null check, deadcode, null ref, use after free
- 33ce2a9 fix mem leaks with parent dn log message, setting winsync windows domain
- Ticket #440 - periodic dirsync timed event causes server to loop repeatedly
- Ticket #355 - winsync should not delete entry that appears to be out of scope
- Ticket 436 - nsds5ReplicaEnabled can be set with any invalid values.
- 487932d coverity - mbo dead code - winsync leaks, deadcode, null check, test code
- 2734a71 CLEANALLRUV coverity fixes
- Ticket #426 - support posix schema for user and group sync
- Ticket #430 - server to server ssl client auth broken with latest openldap
* Mon Aug 20 2012 Mark Reynolds <mareynol at redhat.com> - 1.2.11.11-1
6c0778f bumped version to 1.2.11.11
Ticket 429 - added nsslapd-readonly to DS schema
Ticket 403 - fix CLEANALLRUV regression from last commit
Trac Ticket #346 - Slow ldapmodify operation time for large quantities of multi-valued attribute values
* Wed Aug 15 2012 Mark Reynolds <mareynol at redhat.com> - 1.2.11.10-1
db6b354 bumped version to 1.2.11.10
Ticket 403 - CLEANALLRUV revisions
* Tue Aug  7 2012 Mark Reynolds <mareynol at redhat.com> - 1.2.11.9-1
ea05e69 Bumped version to 1.2.11.9
Ticket 407 - dna memory leak - fix crash from prev fix
* Fri Aug  3 2012 Mark Reynolds <mareynol at redhat.com> - 1.2.11.8-1
ddcf669 bump version to 1.2.11.8 for offical release
Ticket #425 - support multiple winsync plugins
Ticket 403 - cleanallruv coverity fixes
Ticket 407 - memory leak in dna plugin
Ticket 403 - CLEANALLRUV feature
Ticket 413 - "Server is unwilling to perform" when running ldapmodify on nsds5ReplicaStripAttrs
3168f04 Coverity defects
5ff0a02 COVERITY FIXES
Ticket #388 - Improve replication agreement status messages
0760116 Update the slapi-plugin documentation on new slapi functions, and added a slapi function for checking on shutdowns
Ticket #369 - restore of replica ldif file on second master after deleting two records shows only 1 deletion
Ticket #409 - Report during startup if nsslapd-cachememsize is too small
Ticket #412 - memberof performance enhancement
12813: Uninitialized pointer read string_values2keys
Ticket #346 - Slow ldapmodify operation time for large quantities of multi-valued attribute values
Ticket #346 - Slow ldapmodify operation time for large quantities of multi-valued attribute values
Ticket #410 - Referential integrity plug-in does not work when update interval is not zero
Ticket #406 - Impossible to rename entry (modrdn) with Attribute Uniqueness plugin enabled
Ticket #405 - referint modrdn not working if case is different
Ticket 399 - slapi_ldap_bind() doesn't check bind results
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.2.11.7-2.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Thu Jun 28 2012 Petr Pisar <ppisar at redhat.com> - 1.2.11.7-2.1
- Perl 5.16 rebuild
* Wed Jun 27 2012 Rich Megginson <rmeggins at redhat.com> - 1.2.11.7-2
- Ticket 378 - unhashed#user#password visible after changing password
-  fix func declaration from previous patch
- Ticket 366 - Change DS to purge ticket from krb cache in case of authentication error
* Wed Jun 27 2012 Rich Megginson <rmeggins at redhat.com> - 1.2.11.7-1
- Trac Ticket 396 - Account Usability Control Not Working
* Thu Jun 21 2012 Rich Megginson <rmeggins at redhat.com> - 1.2.11.6-1
- Ticket #378 - audit log does not log unhashed password: enabled, by default.
- Ticket #378 - unhashed#user#password visible after changing password
- Ticket #365 - passwords in clear text in the audit log
* Tue Jun 19 2012 Rich Megginson <rmeggins at redhat.com> - 1.2.11.5-2
- workaround for https://bugzilla.redhat.com/show_bug.cgi?id=833529
* Mon Jun 18 2012 Rich Megginson <rmeggins at redhat.com> - 1.2.11.5-1
- Ticket #387 - managed entry sometimes doesn't delete the managed entry
- 5903815 improve txn test index handling
- Ticket #360 - ldapmodify returns Operations error - fix delete caching
- bcfa9e3 Coverity Fix for CLEANALLRUV
- Trac Ticket #335 - transaction retries need to be cache aware
- Ticket #389 - ADD operations not in audit log
- 44cdc84 fix coverity issues with uninit vals, no return checking
- Ticket 368 - Make the cleanAllRUV task one step
- Ticket #110 - RFE limiting root DN by host, IP, time of day, day of week
* Mon Jun 11 2012 Petr Pisar <ppisar at redhat.com> - 1.2.11.4-1.1
- Perl 5.16 rebuild
* Tue May 22 2012 Rich Megginson <rmeggins at redhat.com> - 1.2.11.4-1
- Ticket #360 - ldapmodify returns Operations error
- Ticket #321 - krbExtraData is being null modified and replicated on each ssh login
- Trac Ticket #359 - Database RUV could mismatch the one in changelog under the stress
- Ticket #361: Bad DNs in ACIs can segfault ns-slapd
- Trac Ticket #338 - letters in object's cn get converted to lowercase when renaming object
- Ticket #337 - Improve CLEANRUV task
* Sat May  5 2012 Rich Megginson <rmeggins at redhat.com> - 1.2.11.3-1
- Ticket #358 - managed entry doesn't delete linked entry
* Fri May  4 2012 Rich Megginson <rmeggins at redhat.com> - 1.2.11.2-1
- Ticket #351 - use betxn plugins by default
-   revert - make no plugins betxn by default - too great a risk
-   for deadlocks until we can test this better
- Ticket #348 - crash in ldap_initialize with multiple threads
-   fixes PR_Init problem in ldclt
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #928105 - CVE-2013-1897 389-ds: unintended information exposure when rootdse is enabled
        https://bugzilla.redhat.com/show_bug.cgi?id=928105
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update 389-ds-base' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list