[SECURITY] Fedora 19 Update: 389-ds-base-1.3.1.22-1.fc19

updates at fedoraproject.org updates at fedoraproject.org
Sat Mar 15 15:23:08 UTC 2014 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-3936
2014-03-15 13:26:42
--------------------------------------------------------------------------------

Name        : 389-ds-base
Product     : Fedora 19
Version     : 1.3.1.22
Release     : 1.fc19
URL         : http://port389.org/
Summary     : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server.  The base package includes
the LDAP server and command line utilities for server administration.

--------------------------------------------------------------------------------
Update Information:

An important security bug was fixed.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar 14 2014 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.22-1
- Release 1.3.1.22 (This release is 1.3.1.19 + Ticket 47739)
- Ticket 47739 - directory server is insecurely misinterpreting authzid on a SASL/GSSAPI bind
* Thu Mar 13 2014 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.21-1
- bump version to 1.3.1.21
- Ticket 47735 - e_uniqueid fails to set if an entry is a conflict entry
- Ticket 47740 - Coverity issue in 1.3.3
- Ticket 47740 - Fix coverity issues - Part 5
- Ticket 47740 - Fix coverity erorrs - Part 4
- Ticket 47640 - Fix coverity issues - part 3
- Ticket 47538 - RFE: repl-monitor.pl plain text output, cmdline config options
- Ticket 47740 - Coverity Fixes (Mark - part 1)
- Ticket 47734 - Change made in resolving ticket #346 fails on Debian SPARC64
- Ticket 47722 - Fixed filter not correctly identified
- Ticket 47722 - rsearch filter error on any search filter
* Mon Mar 10 2014 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.20-1
- bump version to 1.3.1.20
- Ticket 47739 - directory server is insecurely misinterpreting authzid on a SASL/GSSAPI bind
- Ticket 47737 - Under heavy stress, failure of turning a tombstone into glue makes the server hung
- Ticket 47735 - e_uniqueid fails to set if an entry is a conflict entry
- Ticket 47729 - Directory Server crashes if shutdown during a replication initialization
- Ticket 47637 - rsa_null_sha should not be enabled by default
* Fri Feb 28 2014 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.19-1
- bump version to 1.3.1.19
- Ticket 408   - create a normalized dn cache
- Ticket 571   - Empty control list causes LDAP protocol error is thrown (dup 47361)
- Ticket 408   - create a normalized dn cache
- Ticket 525   - Replication retry time attributes cannot be added
- Ticket 47709 - package issue in 389-ds-base
- Ticket 415   - winsync doesn't sync DN valued attributes if DS DN value doesn't exist
- Ticket 47642 - Windows Sync group issues
- Ticket 47704 - invalid sizelimits in aci group evaluation
- Ticket 525   - Replication retry time attributes cannot be added
- Ticket 47692 - single valued attribute replicated ADD does not work
- Ticket 47677 - Size returned by slapi_entry_size is not accurate
- Ticket 47693 - Environment variables are not passed when DS is started via service
* Thu Feb 20 2014 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.18-2
- Added arch aware python dir; moved libns-dshttpd.so* to devel and libs package.
* Wed Feb  5 2014 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.18-1
- the 1.3.1.18 release
- Ticket 471   - logconv.pl tool removes the access logs contents if "-M" is not correctly used
- Ticket 47374 - flush.pl is not included in perl5
- Ticket 47463 - IDL-style can become mismatched during partial restoration
- Ticket 47649 - Server hangs in cos_cache when adding a user entry
- Ticket 443   - Deleting attribute present in nsslapd-allowed-to-delete-attrs returns Operations error
- Ticket 47638 - Overflow in nsslapd-disk-monitoring-threshold on 32bit platform
- Ticket 47641 - 7-bit check plugin not checking MODRDN operation
- Ticket 342   - better error message when cache overflows
- Ticket 47516 - replication stops with excessive clock skew
- Ticket 47620 - Unable to delete protocol timeout attribute
- Ticket 408   - Fix crash when disabling/enabling the setting
- Ticket 47660 - config_set_allowed_to_delete_attrs: Valgrind reports Invalid read
* Wed Jan  8 2014 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.17-1
- the 1.3.1.17 release
- Ticket 342   - better error message when cache overflows (phase 2)
- Ticket 447   - Possible to add invalid attribute to nsslapd-allowed-to-delete-attrs
- Ticket 571 (dup 47361) - Empty control list causes LDAP protocol error is thrown
- Ticket 47587 - hard coded limit of 64 masters in agreement and changelog code
- Ticket 47591 - entries with empty objectclass attribute value can be hidden
- Ticket 47592 - automember plugin task memory leaks
- Ticket 47596 - attrcrypt fails to find unlocked key
- Ticket 47599 - fix memory leak
- Ticket 47606 - replica init/bulk import errors should be more verbose
- Ticket 47611 - Add script to build patched RPMs
- Ticket 47611 - Add make rpms build target
- Ticket 47613 - Issues setting allowed mechanisms
- Ticket 47613 - Impossible to configure nsslapd-allowed-sasl-mechanisms
- Ticket 47614 - Possible to specify invalid SASL mechanism in nsslapd-allowed-sasl-mechanisms
- Ticket 47620 - Fix missing left bracket
- Ticket 47620 - Fix dereferenced NULL pointer in agmtlist_modify_callback()
- Ticket 47620 - Fix logically dead code.
- Ticket 47620 - Config value validation improvement
- Ticket 47620 - Fix cherry-pick error for 1.3.2 and 1.3.1
- Ticket 47620 - 389-ds rejects nsds5ReplicaProtocolTimeout attribute
- Ticket 47622 - Automember betxnpreoperation - transaction not aborted when group entry does not exist
- Ticket 47623 - fix memleak caused by 47347
- Ticket 47627 - Fix replication logging
- Ticket 47627 - changelog iteration should ignore cleaned rids when getting the minCSN
* Fri Nov 22 2013 Rich Megginson <rmeggins at redhat.com> - 1.3.1.16-1
- Ticket 47599 - Reduce lock scope in retro changelog plug-in
-    Forgot to add definition of retrocl_cn_lock
* Thu Nov 21 2013 Rich Megginson <rmeggins at redhat.com> - 1.3.1.15-1
- Ticket #47605 CVE-2013-4485: DoS due to improper handling of ger attr searche
- Ticket 47599 - Reduce lock scope in retro changelog plug-in
- Ticket #47596 attrcrypt fails to find unlocked key
- Ticket 47598 - Convert ldbm_back_seq code to be transaction aware
- Ticket 47597 - Convert retro changelog plug-in to betxn
- Revert "Ticket #47559 hung server - related to sasl and initialize"
- Ticket #47585 Replication Failures related to skipped entries due to cleaned rids
* Fri Nov  8 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.14-1
- the 1.3.1.14 release - several bug fixes
- Ticket 47589 - Winsync replica initialization and incremental updates from DS to AD fails on RHEL7
- Ticket 47588 - Compiler warnings building on F19
- Coverity (Part 7) + Jenkins fix
* Wed Nov  6 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.13-1
- the 1.3.1.13 release - several bug fixes
- Ticket 47379 - DNA plugin failed to fetch replication agreement
- Ticket 47379 - DNA plugin failed to fetch replication agreement
- Ticket 47581 - Winsync plugin segfault during incremental backoff (phase 2)
- Ticket 47581 - Winsync plugin segfault during incremental backoff
- Ticket 47577 - crash when removing entries from cache
- Ticket 47560 - fixup memberof task does not work: task entry not added
- Ticket 47559 - hung server - related to sasl and initialize
- ticket 47550 - wip (cherry picked from commit 82377636267787be5182457d619d5a0b662d2658) (cherry picked from commit 181fde98aee96868189bc5557c5f33fefa026952)
- Coverity Fixes
- Ticket 47329 - Improve slapi_back_transaction_begin() return code when transactions are not available
- Ticket 47550 - logconv: failed logins: Use of uninitialized value in numeric comparison at logconv.pl line 949
* Thu Oct 10 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.12-1
- release 1.3.1.12
- Ticket 47513 - tmpfiles.d references /var/lock when they should reference /run/loc
- Ticket 47551 - logconv: -V does not produce unindexed search report
- Ticket 53 - Need to update supported locales
- Ticket 47517 - memory leak in range searches and other various leaks
- Ticket 53 - Need to update supported locales Cleaning up typos and format.
- Ticket 53 - Need to update supported locales
- Ticket 47522 - Password adminstrators should be able to voilate password policy
- Ticket 54 - locale "nl" not supported by collation plugin
- Ticket 47543 - Mozldap - fix compiler warnings
- Coverity fixes - 12023, 12024, and 12025
- Ticket 47533 - logconv: some stats do not work across server restarts
- Ticket 47501 - logconv.pl uses /var/tmp for BDB temp files
- Ticket 47520 - Fix various issues with logconv.pl
- Ticket 47387 - improve logconv.pl performance with large access logs
- Ticket 47387 - improve logconv.pl performance with large access logs
- Ticket 47354 - Indexed search are logged with 'notes=U' in the access logs
* Mon Sep 30 2013 Rich Megginson <rmeggins at redhat.com> - 1.3.1.11-1
- Ticket 47513 - Set localrundir outside of the "with-fhs" block
- Ticket 47513 - Refine the check for @localrundir@
- Ticket 47510 - remove unnecessary typedef
- Ticket 47510 - Repl Sync does not compile against MozLDAP libraries
* Fri Sep 27 2013 Rich Megginson <rmeggins at redhat.com> - 1.3.1.10-1
- Ticket #47534 - RUV tombstone search with scope "one" doesn`t work
- Ticket 47510 - 389-ds-base does not compile against MozLDAP libraries
- Ticket #47523 - Set up replcation/agreement before initializing the sub suffix, the sub suffix is not found by ldapsearch
- Ticket 47528 - 389-ds-base built with mozldap can crash from invalid free
- Ticket #47504 idlistscanlimit per index/type/value
- Ticket 47513 - tmpfiles.d references /var/lock when they should reference /run/lock
- Ticket #47492 - PassSync removes User must change password flag on the Windows side
- Ticket 47509 - CLEANALLRUV doesnt run across all replicas
- Ticket #47516 replication stops with excessive clock skew
- 6829200 Coverity fix - 11952 - for Ticket 47512
- Ticket 47512 - backend txn plugin fixup tasks should be done in a txn
* Fri Sep 13 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.9-1
- release 1.3.1.9
- Ticket 449 - Allow macro aci keywords to be case-insensitive
- Ticket 47489 - Under specific values of nsDS5ReplicaName, replication may get broken or updates missing
- Ticket 47507 - automember rebuild task not working as expected
* Fri Sep  6 2013 Rich Megginson <rmeggins at redhat.com> - 1.3.1.8-1
- Ticket #47455 - valgrind - value mem leaks, uninit mem usage
-  fix breakage in slapi-nis introduced with the previous fix
- Ticket 47500 - start-dirsrv/restart-dirsrv/stop-disrv do not register with systemd correctly
* Wed Aug 28 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.7-1
- bump version to 1.3.1.7
- Bug 1002215 - CVE-2013-4283 389-ds-base: ns-slapd crash due to bogus DN
- Ticket 47488 - Users from AD sub OU does not sync to IPA
- Ticket 47461 - logconv.pl - Use of comma-less variable list is deprecated
- Ticket 47473 - setup-ds.pl doesn't lookup the "root" group correctly
* Thu Aug  1 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.6-1
- bump version to 1.3.1.6
- Ticket 47455 - valgrind - value mem leaks, uninit mem usage
- fix coverity 11915 - dead code - introduced with fix for ticket 346
- fix coverity 11895 - null deref - caused by fix to ticket 47392
- fix compiler warning in posix winsync code for posix_group_del_memberuid_callback
- Fix compiler warnings for Ticket 47395 and 47397
- fix compiler warning (cherry picked from commit 904416f4631d842a105851b4a9931ae17822a107)
- Ticket 47450 - Fix compiler formatting warning errors for 32/64 bit arch
- fix compiler warnings
- Fix compiler warning (cherry picked from commit ec6ebc0b0f085a82041d993ab2450a3922ef5502)
* Wed Jul 31 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.5-1
- bump version to 1.3.1.5
- Ticket 47456 - delete present values should append values to deleted values
- Ticket 47455 - valgrind - value mem leaks, uninit mem usage
- Ticket 47448 - Segfault in 389-ds-base-1.3.1.4-1.fc19 when setting up FreeIPA replication
- Ticket 47440 - Fix runtime errors caused by last patch.
- Ticket 47440 - Fix compilation warnings and header files
- Ticket 47405 - CVE-2013-2219 ACLs inoperative in some search scenarios
- Ticket 47447 - logconv.pl man page missing -m,-M,-B,-D
- Ticket 47378 - fix recent compiler warnings
- Ticket 47427 - Overflow in nsslapd-disk-monitoring-threshold
- Ticket 47449 - deadlock after adding and deleting entries
- Ticket 47441 - Disk Monitoring not checking filesystem with logs
- Ticket 47427 - Overflow in nsslapd-disk-monitoring-threshold
* Fri Jul 19 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.4-1
- bump version to 1.3.1.4
- Ticket 47435 - Very large entryusn values after enabling the USN plugin and the lastusn value is negative.
- Ticket 47424 - Replication problem with add-delete requests on single-valued attributes
- Ticket 47367 - (phase 2) ldapdelete returns non-leaf entry error while trying to remove a leaf entry
- Ticket 47367 - (phase 1) ldapdelete returns non-leaf entry error while trying to remove a leaf entry
- Ticket 47421 - memory leaks in set_krb5_creds
- Ticket 346 - version 4 Slow ldapmodify operation time for large quantities of multi-valued attribute values
- Ticket 47369  version2 - provide default syntax plugin
- Ticket 47427 - Overflow in nsslapd-disk-monitoring-threshold
- Ticket 47399 - RHDS denies MODRDN access if ACI list contains any DENY rule
- Ticket 47427 - Overflow in nsslapd-disk-monitoring-threshold
- Ticket 47428 - Memory leak in 389-ds-base 1.2.11.15
- Ticket 47392 - ldbm errors when adding/modifying/deleting entries
- Ticket 47385 - Disk Monitoring is not triggered as expected.
- Ticket 47410 - changelog db deadlocks with DNA and replication
* Wed Jul  3 2013 Noriko Hosoi <nhosoi at redhat.com> - 1.3.1.3-1
- bump version to 1.3.1.3
- Ticket 47374 - flush.pl is not included in perl5
- Ticket 47391 - deleting and adding userpassword fails to update the password (additional fix)
- Ticket 47393 - Attribute are not encrypted on a consumer after a full initialization
- Ticket 47395 47397 - v2 correct behaviour of account policy if only stateattr is configured or no alternate attr is configured
- Ticket 47396 - crash on modrdn of tombstone
- Ticket 47400 - MMR stress test with dna enabled causes a deadlock
- Ticket 47409 - allow setting db deadlock rejection policy
- Ticket 47419 - Unhashed userpassword can accidentally get removed from mods
- Ticket 47420 - An upgrade script 80upgradednformat.pl fails to handle a server instance name incuding '-'
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1076117 - CVE-2014-0132 389-ds-base: 389-ds: flaw in parsing authzid can lead to privilege escalation [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1076117
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update 389-ds-base' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list