Updated ldb packages fix security vulnerability

2019-05-0800:38:09

Gentoo Foundation

advisories.mageia.org

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

5.2 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

0.007 Low

EPSS

Percentile

80.1%

JSON

Garming Sam reported an out-of-bounds read in the ldb_wildcard_compare() function of ldb, resulting in denial of service (CVE-2019-3824). The ldb package has been updated to version 1.2.4 to fix this issue. The sssd and samba packages have been rebuilt against the updated ldb. If a user was configured with no home directory set, sssd would return ‘/’ (the root directory) instead of ‘’ (the empty string / no home directory). This could impact services that restrict the user’s filesystem access to within their home directory through chroot() etc. All versions before 2.1 are vulnerable. (CVE-2019-3811)

OSVersionArchitecturePackageVersionFilename
Mageia6noarchldb< 1.2.4-1ldb-1.2.4-1.mga6
Mageia6noarchsamba< 4.7.12-1.2samba-4.7.12-1.2.mga6
Mageia6noarchsssd< 1.13.4-9.5sssd-1.13.4-9.5.mga6