Medium: 389-ds-base

2016-12-15T23:48:00
ID ALAS-2016-773
Type amazon
Reporter Amazon
Modified 2016-12-15T23:48:00

Description

Issue Overview:

CVE-2016-5405 __ 389-ds-base: Password verification vulnerable to timing attack
It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries.

CVE-2016-5416 __ 389-ds-base: ACI readable by anonymous user
It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI (Access Control Instructions) could be read by an anonymous user. This could lead to leakage of sensitive information.

CVE-2016-4992 __ 389-ds-base: Information disclosure via repeated use of LDAP ADD operation
An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not.

Affected Packages:

389-ds-base

Issue Correction:
Run yum update 389-ds-base to update your system.

New Packages:

i686:  
    389-ds-base-debuginfo-1.3.5.10-11.49.amzn1.i686  
    389-ds-base-devel-1.3.5.10-11.49.amzn1.i686  
    389-ds-base-snmp-1.3.5.10-11.49.amzn1.i686  
    389-ds-base-1.3.5.10-11.49.amzn1.i686  
    389-ds-base-libs-1.3.5.10-11.49.amzn1.i686

src:  
    389-ds-base-1.3.5.10-11.49.amzn1.src

x86_64:  
    389-ds-base-1.3.5.10-11.49.amzn1.x86_64  
    389-ds-base-snmp-1.3.5.10-11.49.amzn1.x86_64  
    389-ds-base-libs-1.3.5.10-11.49.amzn1.x86_64  
    389-ds-base-debuginfo-1.3.5.10-11.49.amzn1.x86_64  
    389-ds-base-devel-1.3.5.10-11.49.amzn1.x86_64