Synopsis: Important: 389-ds-base security and bug fix update
Advisory ID: SLSA-2018:1380-1
Issue Date: 2018-05-15
CVE Numbers: CVE-2018-1089
* 389-ds-base: ns-slapd crash via large filter value in ldapsearch
* Indexing tasks in Directory Server contain the nsTaskStatus attribute to
monitor whether the task is completed and the database is ready to receive
updates. Before this update, the server set the value that indexing had
completed before the database was ready to receive updates. Applications
which monitor nsTaskStatus could start sending updates as soon as indexing
completed, but before the database was ready. As a consequence, the server
rejected updates with an UNWILLING_TO_PERFORM error. The problem has been
fixed. As a result, the nsTaskStatus attribute now shows that indexing is
completed after the database is ready to receive updates.
* Previously, Directory Server did not remember when the first operation,
bind, or a connection was started. As a consequence, the server applied in
certain situations anonymous resource limits to an authenticated client.
With this update, Directory Server properly marks authenticated client
connections. As a result, it applies the correct resource limits, and
authenticated clients no longer get randomly restricted by anonymous
* When debug replication logging is enabled, Directory Server incorrectly
logged an error that updating the replica update vector (RUV) failed when
in fact the update succeeded. The problem has been fixed, and the server
no longer logs an error if updating the RUV succeeds.
* This update adds the -W option to the ds-replcheck utility. With this
option, ds-replcheck asks for the password, similar to OpenLDAP utilities.
As a result, the password is not stored in the shell’s history file when
the -W option is used.
* If an administrator moves a group in Directory Server from one subtree
to another, the memberOf plug-in deletes the memberOf attribute with the
old value and adds a new memberOf attribute with the new group’s
distinguished name (DN) in affected user entries. Previously, if the old
subtree was not within the scope of the memberOf plug-in, deleting the old
memberOf attribute failed because the values did not exist. As a
consequence, the plug-in did not add the new memberOf value, and the user
entry contained an incorrect memberOf value. With this update, the plug-in
now checks the return code when deleting the old value. If the return code
is “no such value”, the plug-in only adds the new memberOf value. As a
result, the memberOf attribute information is correct.
* In a Directory Server replication topology, updates are managed by using
Change Sequence Numbers (CSN) based on time stamps. New CSNs must be
higher than the highest CSN present in the relative update vector (RUV).
In case the server generates a new CSN in the same second as the most
recent CSN, the sequence number is increased to ensure that it is higher.
However, if the most recent CSN and the new CSN were identical, the
sequence number was not increased. In this situation, the new CSN was,
except the replica ID, identical to the most recent one. As a consequence,
a new update in the directory appeared in certain situations older than
the most recent update. With this update, Directory Server increases the
CSN if the sequence number is lower or equal to the most recent one. As a
result, new updates are no longer considered older than the most recent
– Scientific Linux Development Team