Debian Bug report logs -
#944150
389-ds-base: CVE-2019-14824: Read permission check bypass via the deref plugin
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 5 Nov 2019 06:24:02 UTC
Severity: grave
Tags: security, upstream
Found in versions 389-ds-base/1.4.1.6-4, 389-ds-base/1.3.5.17-2
Fixed in version 389-ds-base/1.4.2.4-1
Done: Timo Aaltonen <tjaalton@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>:
Bug#944150; Package src:389-ds-base.
(Tue, 05 Nov 2019 06:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>.
(Tue, 05 Nov 2019 06:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: 389-ds-base
Version: 1.4.1.6-4
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for 389-ds-base.
CVE-2019-14824[0]:
Read permission check bypass via the deref plugin
Note that [1] gives [2] as external reference, but there I get a 404
page not found. Not sure if the issue is marked private or the
reference is wrong.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-14824
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14824
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1747448
[2] https://pagure.io/freeipa/issue/8050
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>:
Bug#944150; Package src:389-ds-base.
(Mon, 25 Nov 2019 01:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Utkarsh Gupta <guptautkarsh2102@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>.
(Mon, 25 Nov 2019 01:03:03 GMT) (full text, mbox, link).
Message #10 received at 944150@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Timo,
On Tue, 05 Nov 2019 07:22:06 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: 389-ds-base
> Version: 1.4.1.6-4
> Severity: grave
> Tags: security upstream
>
> Hi,
>
> The following vulnerability was published for 389-ds-base.
>
> CVE-2019-14824[0]:
> Read permission check bypass via the deref plugin
As a part of my LTS work, I have fixed this in Jessie (upload remaining)
so attaching a patch for Buster, Bullseye, and Sid. Hope you might be
interested in the same :)
Also, while at it, this patch also works for Stretch (just a quilt
refresh) would be required :)
Requesting you to fix the same at the earliest.
Best,
Utkarsh
[CVE-2019-14824.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Marked as found in versions 389-ds-base/1.3.5.17-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 25 Nov 2019 13:57:05 GMT) (full text, mbox, link).
Reply sent
to Timo Aaltonen <tjaalton@debian.org>:
You have taken responsibility.
(Tue, 26 Nov 2019 22:21:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 26 Nov 2019 22:21:07 GMT) (full text, mbox, link).
Message #17 received at 944150-close@bugs.debian.org (full text, mbox, reply):
Source: 389-ds-base
Source-Version: 1.4.2.4-1
We believe that the bug you reported is fixed in the latest version of
389-ds-base, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 944150@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated 389-ds-base package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 27 Nov 2019 00:00:59 +0200
Source: 389-ds-base
Architecture: source
Version: 1.4.2.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Closes: 944150
Changes:
389-ds-base (1.4.2.4-1) unstable; urgency=medium
.
* New upstream release.
- CVE-2019-14824 deref plugin displays restricted attributes
(Closes: #944150)
* fix-obsolete-target.diff: Dropped, obsolete
drop-old-man.diff: Refreshed
* control: Add python3-packaging to build-depends and python3-lib389 depends.
* dev,libs.install: Nunc-stans got dropped.
* source/local-options: Add some files to diff-ignore.
* rules: Refresh list of files to purge.
* rules: Update dh_auto_clean override.
Checksums-Sha1:
67ee2d7ab60d7791a337f76caac6939e39477d8c 2763 389-ds-base_1.4.2.4-1.dsc
0feff61839f09ee3ce153f5db676603ac26ce053 9779898 389-ds-base_1.4.2.4.orig.tar.bz2
9711cfecbf721f0a83a731f17dac7904dd834997 443984 389-ds-base_1.4.2.4-1.debian.tar.xz
87fa19db57d1d48e64be55f57f51ca101f4fb45a 8190 389-ds-base_1.4.2.4-1_source.buildinfo
Checksums-Sha256:
537a776259a686e46cc4213c6d5d9e5acdb37f8cd49425aedbab88d47d4190f7 2763 389-ds-base_1.4.2.4-1.dsc
0ef1b9f2003cd593cd48ebb84e645ca109849d9601b23a9da808e031e744d82e 9779898 389-ds-base_1.4.2.4.orig.tar.bz2
e4463889937ecd52c77b4bcc04b14d7c850ff8e77601a235de7d098ecc9c66ca 443984 389-ds-base_1.4.2.4-1.debian.tar.xz
b2493a18bff31ff5533a5b4c7dfb2d83de72cf7e3b2589b265acdb829cdecf66 8190 389-ds-base_1.4.2.4-1_source.buildinfo
Files:
a1af27805e439ec863fae73ad237b3c8 2763 net optional 389-ds-base_1.4.2.4-1.dsc
eb410dccacdf5e2b167f863aa5e391e7 9779898 net optional 389-ds-base_1.4.2.4.orig.tar.bz2
0417db9ec47c35f6614a9f9cf8376c38 443984 net optional 389-ds-base_1.4.2.4-1.debian.tar.xz
45e78ae2f38be1505e977421b9c40b49 8190 net optional 389-ds-base_1.4.2.4-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAl3doOcACgkQy3AxZaiJ
hNxgkxAAkEUKSSr4Yo0p9XjJK63xH6vn0Iq/Ws7VUQ3AJs7UqszFmRttqO6MSQ9e
hQzhAxILHVYVBZ7w33VSSSGVjOLyaM6BA6Ua7+GLz8K6CID5VaXtdnPkDbyBTdza
stUmdQPeBBq5m6sQKO+6OLab8KPj1zA+fSrR6Q+O5s5imTYQ7bFoT8l3kiL77ta2
Lh6zJyhAV+Bx107sJb6HCm2O3dp526mBCFNwGnSJ+mzT+7ZVACYCyNvzb8zWr/AT
YrsbHWEO/53/pfXN0QwbClzFHgbo4+xVp+ofPSfk69AzjcyqrNseZu5YTpcOHdtc
f1zCp93NeCBCrAbRUtptPm30NbBh9oG+oAB7eVKhMK7kKa9u1oFI+P8Xu7PijlK0
2R1fXYzBLKF29ByrJWp2ZIXFVe99A8ROfk9tSns8yA2F45RarB3AocA1mCf1mUkb
BE9yBivSpvShjnQ844WWzy3PHs5JSX87+JCpKUPZ0qntJjW4tXcY+EJk2Z+dXtZe
qbGP+hejb3fpvMhVEnZF5IGDcHg9BPIfqaCMWX4lnJafCiBli4JTlNGQRiXKU6If
hmnHuBL5MD8nMLGapPIOtcktX6CfeK+hJ5hbd84aDDjyT6iTORljwLspd/aDGW4s
N1htSrzK7NQ7yf0bN1S3bHNPPXuYeICOi7bFyCLHezXzW29VyBQ=
=QuDX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 12 Sep 2021 07:37:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Oct 8 03:11:12 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.