389 Directory Server is vulnerable to information disclosure. This is due to improper access restriction in the do_search
function in ldap/servers/slapd/search.c
when the nsslapd-allow-anonymous-access
configuration is set to rootdse
and the BASE
search scope is used, allowing a remote attacker to retrieve confidential information outside of rootDSE
via a malicious LDAP search.
lists.fedoraproject.org/pipermail/package-announce/2013-April/101323.html
rhn.redhat.com/errata/RHSA-2013-0742.html
access.redhat.com/security/updates/classification/#low
bugzilla.redhat.com/show_bug.cgi?id=928105
bugzilla.redhat.com/show_bug.cgi?id=929111
bugzilla.redhat.com/show_bug.cgi?id=929114
bugzilla.redhat.com/show_bug.cgi?id=929115
fedorahosted.org/389/ticket/47308
fedorahosted.org/freeipa/ticket/3540
git.fedorahosted.org/cgit/389/ds.git/commit/?h=389-ds-base-1.2.11&id=5a18c828533a670e7143327893f8171a19062286
rhn.redhat.com/errata/RHSA-2013-0742.html