Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[RHSA-2015:0728-01] Moderate: ipa and slapi-nis security and bug fix update

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: ipa and slapi-nis security and bug fix update

Advisory ID: RHSA-2015:0728-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0728.html

Issue date: 2015-03-26

CVE Names: CVE-2015-0283 CVE-2015-1827

=====================================================================

 

1. Summary:

 

Updated ipa and slapi-nis packages that fix two security issues and several

bugs are now available for Red Hat Enterprise Linux 7.

 

Red Hat Product Security has rated this update as having Moderate security

impact. Common Vulnerability Scoring System (CVSS) base scores, which give

detailed severity ratings, are available for each vulnerability from the

CVE links in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux Client (v. 7) - x86_64

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64

Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

 

3. Description:

 

Red Hat Identity Management is a centralized authentication, identity

management, and authorization solution for both traditional and cloud-based

enterprise environments. It integrates components of the Red Hat Directory

Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides

web browser and command-line interfaces. Its administration tools allow an

administrator to quickly install, set up, and administer a group of domain

controllers to meet the authentication and identity management requirements

of large-scale Linux and UNIX deployments.

 

The ipa component provides centrally managed Identity, Policy, and Audit.

The slapi-nis component provides NIS Server and Schema Compatibility

plug-ins for Directory Server.

 

It was discovered that the IPA extdom Directory Server plug-in did not

correctly perform memory reallocation when handling user account

information. A request for a list of groups for a user that belongs to a

large number of groups would cause a Directory Server to crash.

(CVE-2015-1827)

 

It was discovered that the slapi-nis Directory Server plug-in did not

correctly perform memory reallocation when handling user account

information. A request for information about a group with many members, or

a request for a user that belongs to a large number of groups, would cause

a Directory Server to enter an infinite loop and consume an excessive

amount of CPU time. (CVE-2015-0283)

 

These issues were discovered by Sumit Bose of Red Hat.

 

This update fixes the following bugs:

 

* Previously, users of IdM were not properly granted the default permission

to read the "facsimiletelephonenumber" user attribute. This update adds

"facsimiletelephonenumber" to the Access Control Instruction (ACI) for user

data, which makes the attribute readable to authenticated users as

expected. (BZ#1198430)

 

* Prior to this update, when a DNS zone was saved in an LDAP database

without a dot character (.) at the end, internal DNS commands and

operations, such as dnsrecord-* or dnszone-*, failed. With this update, DNS

commands always supply the DNS zone with a dot character at the end, which

prevents the described problem. (BZ#1198431)

 

* After a full-server IdM restore operation, the restored server in some

cases contained invalid data. In addition, if the restored server was used

to reinitialize a replica, the replica then contained invalid data as well.

To fix this problem, the IdM API is now created correctly during the

restore operation, and *.ldif files are not skipped during the removal of

RUV data. As a result, the restored server and its replica no longer

contain invalid data. (BZ#1199060)

 

* Previously, a deadlock in some cases occurred during an IdM upgrade,

which could cause the IdM server to become unresponsive. With this update,

the Schema Compatibility plug-in has been adjusted not to parse the subtree

that contains the configuration of the DNA plug-in, which prevents this

deadlock from triggering. (BZ#1199128)

 

* When using the extdom plug-in of IdM to handle large groups, user lookups

and group lookups previously failed due to insufficient buffer size.

With this update, the getgrgid_r() call gradually increases the buffer

length if needed, and the described failure of extdom thus no longer

occurs. (BZ#1203204)

 

Users of ipa and slapi-nis are advised to upgrade to these updated

packages, which correct these issues.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

For details on how to apply this update, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1195729 - CVE-2015-0283 slapi-nis: infinite loop in getgrnam_r() and getgrgid_r()

1198430 - Fax number not displayed for user-show when kinit'ed as normal user.

1198431 - "an internal error has occurred" during ipa host-del --updatedns

1199060 - Replication agreement with replica not disabled when ipa-restore done without IPA installed

1199128 - Limit deadlocks between DS plugin DNA and slapi-nis

1205200 - CVE-2015-1827 ipa: memory corruption when using get_user_grouplist()

 

6. Package List:

 

Red Hat Enterprise Linux Client (v. 7):

 

Source:

ipa-4.1.0-18.el7_1.3.src.rpm

 

x86_64:

ipa-client-4.1.0-18.el7_1.3.x86_64.rpm

ipa-debuginfo-4.1.0-18.el7_1.3.x86_64.rpm

ipa-python-4.1.0-18.el7_1.3.x86_64.rpm

 

Red Hat Enterprise Linux Client Optional (v. 7):

 

Source:

slapi-nis-0.54-3.el7_1.src.rpm

 

x86_64:

ipa-admintools-4.1.0-18.el7_1.3.x86_64.rpm

ipa-debuginfo-4.1.0-18.el7_1.3.x86_64.rpm

ipa-server-4.1.0-18.el7_1.3.x86_64.rpm

ipa-server-trust-ad-4.1.0-18.el7_1.3.x86_64.rpm

slapi-nis-0.54-3.el7_1.x86_64.rpm

slapi-nis-debuginfo-0.54-3.el7_1.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode (v. 7):

 

Source:

ipa-4.1.0-18.el7_1.3.src.rpm

 

x86_64:

ipa-client-4.1.0-18.el7_1.3.x86_64.rpm

ipa-debuginfo-4.1.0-18.el7_1.3.x86_64.rpm

ipa-python-4.1.0-18.el7_1.3.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

 

Source:

slapi-nis-0.54-3.el7_1.src.rpm

 

x86_64:

ipa-admintools-4.1.0-18.el7_1.3.x86_64.rpm

ipa-debuginfo-4.1.0-18.el7_1.3.x86_64.rpm

ipa-server-4.1.0-18.el7_1.3.x86_64.rpm

ipa-server-trust-ad-4.1.0-18.el7_1.3.x86_64.rpm

slapi-nis-0.54-3.el7_1.x86_64.rpm

slapi-nis-debuginfo-0.54-3.el7_1.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 7):

 

Source:

ipa-4.1.0-18.el7_1.3.src.rpm

slapi-nis-0.54-3.el7_1.src.rpm

 

ppc64:

ipa-client-4.1.0-18.el7_1.3.ppc64.rpm

ipa-debuginfo-4.1.0-18.el7_1.3.ppc64.rpm

ipa-python-4.1.0-18.el7_1.3.ppc64.rpm

 

s390x:

ipa-client-4.1.0-18.el7_1.3.s390x.rpm

ipa-debuginfo-4.1.0-18.el7_1.3.s390x.rpm

ipa-python-4.1.0-18.el7_1.3.s390x.rpm

 

x86_64:

ipa-admintools-4.1.0-18.el7_1.3.x86_64.rpm

ipa-client-4.1.0-18.el7_1.3.x86_64.rpm

ipa-debuginfo-4.1.0-18.el7_1.3.x86_64.rpm

ipa-python-4.1.0-18.el7_1.3.x86_64.rpm

ipa-server-4.1.0-18.el7_1.3.x86_64.rpm

ipa-server-trust-ad-4.1.0-18.el7_1.3.x86_64.rpm

slapi-nis-0.54-3.el7_1.x86_64.rpm

slapi-nis-debuginfo-0.54-3.el7_1.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 7):

 

Source:

ipa-4.1.0-18.ael7b_1.3.src.rpm

slapi-nis-0.54-3.ael7b_1.src.rpm

 

ppc64le:

ipa-admintools-4.1.0-18.ael7b_1.3.ppc64le.rpm

ipa-client-4.1.0-18.ael7b_1.3.ppc64le.rpm

ipa-debuginfo-4.1.0-18.ael7b_1.3.ppc64le.rpm

ipa-python-4.1.0-18.ael7b_1.3.ppc64le.rpm

slapi-nis-0.54-3.ael7b_1.ppc64le.rpm

slapi-nis-debuginfo-0.54-3.ael7b_1.ppc64le.rpm

 

Red Hat Enterprise Linux Server Optional (v. 7):

 

ppc64:

ipa-admintools-4.1.0-18.el7_1.3.ppc64.rpm

ipa-debuginfo-4.1.0-18.el7_1.3.ppc64.rpm

 

s390x:

ipa-admintools-4.1.0-18.el7_1.3.s390x.rpm

ipa-debuginfo-4.1.0-18.el7_1.3.s390x.rpm

 

Red Hat Enterprise Linux Workstation (v. 7):

 

Source:

ipa-4.1.0-18.el7_1.3.src.rpm

slapi-nis-0.54-3.el7_1.src.rpm

 

x86_64:

ipa-admintools-4.1.0-18.el7_1.3.x86_64.rpm

ipa-client-4.1.0-18.el7_1.3.x86_64.rpm

ipa-debuginfo-4.1.0-18.el7_1.3.x86_64.rpm

ipa-python-4.1.0-18.el7_1.3.x86_64.rpm

ipa-server-4.1.0-18.el7_1.3.x86_64.rpm

ipa-server-trust-ad-4.1.0-18.el7_1.3.x86_64.rpm

slapi-nis-0.54-3.el7_1.x86_64.rpm

slapi-nis-debuginfo-0.54-3.el7_1.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2015-0283

https://access.redhat.com/security/cve/CVE-2015-1827

https://access.redhat.com/security/updates/classification/#moderate

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2015 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFVFDz8XlSAg2UNWIIRAvgUAJ9U0eyenVvxsLHHI9au97GRESR+xwCgwc4m

jbpHQeTlpEla/QvB1RMD0BM=

=qyzj

-----END PGP SIGNATURE-----

 

 

--

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×