389-ds-base (SL7)

Synopsis: Important: 389-ds-base security and bug fix update
Advisory ID: SLSA-2017:0920-1
Issue Date: 2017-04-12
CVE Numbers: CVE-2017-2668

Security Fix(es):

* An invalid pointer dereference flaw was found in the way 389-ds-base
handled LDAP bind requests. A remote unauthenticated attacker could use
this flaw to make ns-slapd crash via a specially crafted LDAP bind
request, resulting in denial of service. (CVE-2017-2668)

Bug Fix(es):

* Previously, when adding a filtered role definition that uses the
“nsrole” virtual attribute in the filter, Directory Server terminated
unexpectedly. A patch has been applied, and now the roles plug-in ignores
all virtual attributes. As a result, an error message is logged when an
invalid filter is used. Additionally, the role is deactivated and
Directory Server no longer fails.

* In a replication topology, Directory Server incorrectly calculated the
size of string format entries when a lot of entries were deleted. The
calculated size of entries was smaller than the actual required size.
Consequently, Directory Server allocated insufficient memory and
terminated unexpectedly when the data was written to it. With this update,
the size of string format entries is now calculated correctly in the
described situation and Directory Server no longer terminates


– Scientific Linux Development Team