Bug 13213

Summary: CVE-s found @ 389-ds-base 1.4.4.4
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: High CC: a.proklov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: 2021.1 Fresh R12   
Hardware: All   
OS: Linux   
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-04-16 21:57:46 MSK 
CVE-2021-3652
	A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.
	https://nvd.nist.gov/vuln/detail/CVE-2021-3652
MEDIUM


CVE-2022-1949
	An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.
	https://nvd.nist.gov/vuln/detail/CVE-2022-1949
HIGH
Comment 1 Svyatoslav Matveev 2023-04-27 17:42:53 MSK 
********** QA ADVISORY **********

Закрыто CVE-2021-3652
Для этой версии патча под CVE-2022-1949,нет.

*** 389-ds-base

https://abf.io/build_lists/4432288
https://abf.io/build_lists/4432289
https://abf.io/build_lists/4432287
https://abf.io/build_lists/4432291
Comment 2 Dmitry Postnikov 2023-05-03 19:14:39 MSK 
Проверено на FreeIPA. Все норм.

****************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-05-10 11:39:26 MSK 
389-ds-base-1.4.4.4-12
https://abf.io/build_lists/4432288
https://abf.io/build_lists/4432289
https://abf.io/build_lists/4432287
https://abf.io/build_lists/4432291
**************************** Advisory ************************
Fix  CVE-2021-3652
**************************************************************
QA Verified
Comment 4 Yury 2023-07-25 12:07:00 MSK 
Secteam Verified