[Pkg-freeipa-devel] Bug#1034891: closed by Timo Aaltonen <tjaalton at debian.org> (Re: Bug#1034891: 389-ds-base: CVE-2023-1055)
Salvatore Bonaccorso
carnil at debian.org
Mon Jan 8 18:06:10 GMT 2024
Hi,
On Mon, Jan 08, 2024 at 06:56:40PM +0100, Salvatore Bonaccorso wrote:
> > Source: 389-ds-base
> > Version: 2.3.4+dfsg1-1
> >
> > Moritz Mühlenhoff kirjoitti 26.4.2023 klo 20.43:
> > > Source: 389-ds-base
> > > X-Debbugs-CC: team at security.debian.org
> > > Severity: important
> > > Tags: security
> > >
> > > Hi,
> > >
> > > The following vulnerability was published for 389-ds-base.
> > >
> > > CVE-2023-1055[0]:
> > > | A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP
> > > | tries to decode the userPassword attribute instead of the
> > > | userCertificate attribute which could lead into sensitive information
> > > | leaked. An attacker with a local account where the cockpit-389-ds is
> > > | running can list the processes and display the hashed passwords. The
> > > | highest threat from this vulnerability is to data confidentiality.
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=2173517
> > >
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > >
> > > For further information see:
> > >
> > > [0] https://security-tracker.debian.org/tracker/CVE-2023-1055
> > > https://www.cve.org/CVERecord?id=CVE-2023-1055
> > >
> > > Please adjust the affected versions in the BTS as needed.
> >
> > this was fixed upstream in 2.3.2
>
> Do you have a reference to an upstream issue and/or upstream changes
> in 2.3.2 which fixes the issue?
Or is it actually more related to
https://github.com/389ds/389-ds-base/issues/5687 which then would be
in 2.3.5 instead? (and inline with fedora importing 2.3.5 and
addressing the CVE?)
Regards,
Salvatore
More information about the Pkg-freeipa-devel
mailing list