USN-5231-1: 389 Directory Server vulnerabilities
18 July 2022
Several security issues were fixed in 389 Directory Server.
Releases
Packages
- 389-ds-base - 389 Directory Server suite - server
Details
It was discovered that 389 Directory Server presented to users, during
authentication, an error message which could be used to discover if a
certain LDAP DN existed or not. A remote unauthenticated attacker could
possibly use this to check the existence of an entry in a LDAP database
and expose sensitive information. This issue affected only Ubuntu 20.04
ESM. (CVE-2020-35518)
It was discovered that 389 Directory Server was incorrectly validating
data used to access memory addresses. An authenticated attacker using a
Syncrepl client could use this issue with a specially crafted query to
cause 389 Directory Server to crash, resulting in a denial of service.
(CVE-2021-3514)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.04
-
389-ds-base
-
1.4.3.6-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04
-
389-ds-base
-
1.3.7.10-1ubuntu1+esm1
Available with Ubuntu Pro
Ubuntu 16.04
-
389-ds-base
-
1.3.4.9-1ubuntu0.1~esm1
Available with Ubuntu Pro
After a standard system update you need to restart 389 Directory server
to make all the necessary changes.