Headline
RHSA-2023:3489: Red Hat Security Advisory: redhat-ds:12 security, bug fix, and enhancement update
An update for the redhat-ds:12 module is now available for Red Hat Directory Server 12.1 for RHEL 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-1055: A flaw was found in RHDS 11 and 12. While browsing entries, LDAP tries to decode the userPassword attribute instead of the userCertificate attribute, which could lead into sensitive information being leaked. This issue could allow an attacker with a local account with cockpit-389-ds running to list processes and display hashed passwords. The highest threat is to data confidentiality.
Issued:
2023-06-06
Updated:
2023-06-06
RHSA-2023:3489 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: redhat-ds:12 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for the redhat-ds:12 module is now available for Red Hat Directory Server 12.1 for RHEL 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol (LDAP) server, as well as command-line utilities and Web UI packages for server administration.
Security Fix(es):
- RHDS: LDAP browser tries to decode userPassword instead of userCertificate attribute (CVE-2023-1055)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Users of Red Hat Directory Server 12 are advised to upgrade to these updated packages.
Affected Products
- Red Hat Directory Server 12 x86_64
Fixes
- BZ - 2151865 - dscreate tries to relabel directories for non-root instance
- BZ - 2168723 - lib389 password policy DN handling is incorrect
- BZ - 2173517 - CVE-2023-1055 RHDS: LDAP browser tries to decode userPassword instead of userCertificate attribute
Red Hat Directory Server 12
SRPM
389-ds-base-2.1.8-1.module+el9dsrv+18377+a10e6f72.src.rpm
SHA-256: a3f15bbf24802ba47ce879fec112d8846df70956fad01aaef3e55dd660110174
x86_64
389-ds-base-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm
SHA-256: 2d14649d81275cc2b8079f8fa00c3aa53be06ee33179469bbb01664aae2a8f1d
389-ds-base-debuginfo-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm
SHA-256: bd28a7a0eb24da1bf977dea12550d82b9e45a69031c38f26e0464a48fe024812
389-ds-base-debugsource-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm
SHA-256: 3c33f8ce75ca454fcf671253dbacffda4728608bc205d463b4bf2096f2455e75
389-ds-base-devel-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm
SHA-256: 4af43536b32ec4ff045c135e4ab98bba9f6de3fb9f70d03c3b66d01c6d0ff1e5
389-ds-base-libs-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm
SHA-256: b925dfa058098030db168e70aa11e6e1ef9848767781d62e706db2e9e9ec2d6e
389-ds-base-libs-debuginfo-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm
SHA-256: 5bd30de0d6d58d2fa7f5bc898439f987f71f526c338f2e6786d2ee1de3bf2775
389-ds-base-snmp-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm
SHA-256: a544cdf37544fe86be5870fab2af5223a90e72dba292d77c95b1372ff22b9e38
389-ds-base-snmp-debuginfo-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm
SHA-256: 53b62e5cdbe0f8332ac467799bbbabf7b95998ae7e368a377625d10ccca1bf0b
cockpit-389-ds-2.1.8-1.module+el9dsrv+18377+a10e6f72.noarch.rpm
SHA-256: 351ca7de27828d6ea58379366ec17b34d1f747870dc6f07041e953f72375e151
python3-lib389-2.1.8-1.module+el9dsrv+18377+a10e6f72.noarch.rpm
SHA-256: e0a1a9d22f7f84a38a49a0c9e3fd9cf5cce2e9c74521906fab1d0e4b98a30154
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-4655-01 - Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol server, as well as command-line utilities and Web UI packages for server administration.
An update for the redhat-ds:11 module is now available for Red Hat Directory Server 11.6 for RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1055: A flaw was found in RHDS 11 and 12. While browsing entries, LDAP tries to decode the userPassword attribute instead of the userCertificate attribute, which could lead into sensitive information being leaked. This issue could allow an attacker with a local account with cockpit-389-ds running to list processes and displ...
Red Hat Security Advisory 2023-3489-01 - Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol server, as well as command-line utilities and Web UI packages for server administration.
A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries to decode the userPassword attribute instead of the userCertificate attribute which could lead into sensitive information leaked. An attacker with a local account where the cockpit-389-ds is running can list the processes and display the hashed passwords. The highest threat from this vulnerability is to data confidentiality.