| Summary: | [CVE 21] 389-ds-base 1.4.4.4 CVEs found | ||
|---|---|---|---|
| Product: | [ROSA-based products] ROSA Fresh | Reporter: | Yury <y.tumanov> |
| Component: | System (kernel, glibc, systemd, bash, PAM...) | Assignee: | ROSA Linux Bugs <bugs> |
| Status: | VERIFIED FIXED | QA Contact: | ROSA Linux Bugs <bugs> |
| Severity: | critical | ||
| Priority: | Highest | CC: | a.proklov, e.kosachev, m.novosyolov, pastordidi, s.matveev, v.potapov, y.tumanov |
| Version: | All | Flags: | v.potapov:
qa_verified+
y.tumanov: secteam_verified+ a.proklov: published+ |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | CVE-2022-1949, | ||
| Whiteboard: | |||
| Platform: | 2021.1 | ROSA Vulnerability identifier: | |
| RPM Package: | ISO-related: | ||
| Bad POT generating: | Upstream: | ||
|
Description
Yury
2023-10-18 20:23:59 MSK
*** Bug 13494 has been marked as a duplicate of this bug. *** *** Bug 13685 has been marked as a duplicate of this bug. *** Очень сложно закрывается из 4-х патчей https://github.com/389ds/389-ds-base/issues/5170 применил только 3 https://github.com/389ds/389-ds-base/pull/5285 не могу применить, код поменялся. ------------------------------------------ 389-ds-base 1.4.4.4-14 https://abf.io/build_lists/4759250 https://abf.io/build_lists/4759251 https://abf.io/build_lists/4759252 https://abf.io/build_lists/4759253 e2k не собрался - нету nodejs Этот проект нужен для ipa, проверяйте ipa с ним Не работает, падает, значит где-тов коде ошибка
dc1 ~ # systemctl status autosetup
× autosetup.service - Automatic setup in LiveCD
Loaded: loaded (/etc/systemd/system/autosetup.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2023-10-20 15:48:00 MSK; 1min 15s ago
Process: 1532 ExecStart=/bin/bash -x /usr/local/bin/autosetup.sh (code=exited, status=1/FAILURE)
Main PID: 1532 (code=exited, status=1/FAILURE)
CPU: 2.358s
Oct 20 15:47:56 dc1.ipa.loc bash[1548]: Using default chrony configuration.
Oct 20 15:47:56 dc1.ipa.loc bash[1548]: Configuring directory server (dirsrv). Estimated time: 30 seconds
Oct 20 15:47:56 dc1.ipa.loc bash[1548]: [1/45]: creating directory server instance
Oct 20 15:48:00 dc1.ipa.loc bash[1548]: [error] SERVER_DOWN: {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'Invalid attribute in filter - results may not be complete.'}
Oct 20 15:48:00 dc1.ipa.loc bash[1548]: {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'Invalid attribute in filter - results may not be complete.'}
Oct 20 15:48:00 dc1.ipa.loc bash[1548]: The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Oct 20 15:48:00 dc1.ipa.loc systemd[1]: autosetup.service: Main process exited, code=exited, status=1/FAILURE
Oct 20 15:48:00 dc1.ipa.loc systemd[1]: autosetup.service: Failed with result 'exit-code'.
Oct 20 15:48:00 dc1.ipa.loc systemd[1]: Failed to start Automatic setup in LiveCD.
Oct 20 15:48:00 dc1.ipa.loc systemd[1]: autosetup.service: Consumed 2.358s CPU time.
dc1 ~ # systemctl --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● autosetup.service loaded failed failed Automatic setup in LiveCD
● dirsrv@IPA-LOC.service loaded failed failed 389 Directory Server IPA-LOC.
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
2 loaded units listed.
dc1 ~ # systemctl status dirsrv@IPA-LOC.service
× dirsrv@IPA-LOC.service - 389 Directory Server IPA-LOC.
Loaded: loaded (/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)
Drop-In: /lib/systemd/system/dirsrv@.service.d
└─custom.conf
Active: failed (Result: core-dump) since Fri 2023-10-20 15:48:00 MSK; 2min 9s ago
Process: 1631 ExecStartPre=/usr/libexec/ds_systemd_ask_password_acl /etc/dirsrv/slapd-IPA-LOC/dse.ldif (code=exited, status=0/SUCCESS)
Process: 1636 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-IPA-LOC -i /run/dirsrv/slapd-IPA-LOC.pid (code=dumped, signal=SEGV)
Main PID: 1636 (code=dumped, signal=SEGV)
Status: "slapd started: Ready to process requests"
CPU: 286ms
Oct 20 15:48:00 dc1.ipa.loc ns-slapd[1636]: [20/Oct/2023:15:48:00.055250789 +0300] - NOTICE - ldbm_back_start - found 4180324k physical memory
Oct 20 15:48:00 dc1.ipa.loc ns-slapd[1636]: [20/Oct/2023:15:48:00.055379576 +0300] - NOTICE - ldbm_back_start - found 3668464k available
Oct 20 15:48:00 dc1.ipa.loc ns-slapd[1636]: [20/Oct/2023:15:48:00.055452783 +0300] - NOTICE - ldbm_back_start - cache autosizing: db cache: 261270k
Oct 20 15:48:00 dc1.ipa.loc ns-slapd[1636]: [20/Oct/2023:15:48:00.055558208 +0300] - NOTICE - ldbm_back_start - total cache size: 214032588 B;
Oct 20 15:48:00 dc1.ipa.loc ns-slapd[1636]: [20/Oct/2023:15:48:00.109120551 +0300] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests
Oct 20 15:48:00 dc1.ipa.loc systemd[1]: Started 389 Directory Server IPA-LOC..
Oct 20 15:48:00 dc1.ipa.loc ns-slapd[1636]: [20/Oct/2023:15:48:00.138812165 +0300] - INFO - postop_modify_config_dse - The change of nsslapd-securePort will not take effect until the server is restarted
Oct 20 15:48:00 dc1.ipa.loc ns-slapd[1636]: [20/Oct/2023:15:48:00.142575267 +0300] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
Oct 20 15:48:00 dc1.ipa.loc systemd[1]: dirsrv@IPA-LOC.service: Main process exited, code=dumped, status=11/SEGV
Oct 20 15:48:00 dc1.ipa.loc systemd[1]: dirsrv@IPA-LOC.service: Failed with result 'core-dump'.
dmesg:
[Fri Oct 20 15:47:59 2023] ns-slapd[1657]: segfault at 6e0000295c ip 00007faabb9073d1 sp 00007faa9aff7808 error 4 in libc-2.33.so[7faabb7b5000+163000] likely on CPU 1 (core 1, socket 0)
389-ds-base 1.4.4.4-15 - попытался поправить патч https://abf.io/build_lists/4759516 https://abf.io/build_lists/4759517 https://abf.io/build_lists/4759518 при повторном запуске сервис dirsrv@IPA-LOC.service стартует нормально, хз как отловить то, что при autosetup он не стартанул :( Откатил https://github.com/389ds/389-ds-base/pull/5604 этот патч таким образом запатчено частично 389-ds-base 1.4.4.4-16 https://abf.io/build_lists/4759583 (х64) https://abf.io/build_lists/4759615 https://abf.io/build_lists/4759616 https://abf.io/build_lists/4759618 ------------------------------------ образ с контейнером 4759583 нормально прошла установка ipa https://abf.io/platforms/rosa2021.1/products/340/product_build_lists/48645 С freeipa норм. ***************************** Обновление отослано в Тестинг 389-ds-base-1.4.4.4-16 https://abf.io/build_lists/4759583 (х64) https://abf.io/build_lists/4759615 https://abf.io/build_lists/4759616 https://abf.io/build_lists/4759618 ************************** Advisory **************************** CVE-2022-1949 fix **************************************************************** QA Verified CVE-2022-1949 secteam_verified |