An update for three-eight-nine-ds-base is now available for openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-2168 Final 1.0 1.0 2024-09-20 Initial 2024-09-20 2024-09-20 openEuler SA Tool V1.0 2024-09-20 three-eight-nine-ds-base security update An update for three-eight-nine-ds-base is now available for openEuler-22.03-LTS-SP3 389-ds-base is an LDAPv3 compliant server which includes the LDAP server and command line utilities for server administration. Security Fix(es): An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.(CVE-2022-1949) A denial of service vulnerability was found in the 389-ds-base LDAP server. This issue may allow an authenticated user to cause a server denial of service while attempting to log in with a user with a malformed hash in their password.(CVE-2024-5953) An update for three-eight-nine-ds-base is now available for openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High three-eight-nine-ds-base https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2168 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2022-1949 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-5953 https://nvd.nist.gov/vuln/detail/CVE-2022-1949 https://nvd.nist.gov/vuln/detail/CVE-2024-5953 openEuler-22.03-LTS-SP3 389-ds-base-1.4.3.36-7.oe2203sp3.aarch64.rpm 389-ds-base-debuginfo-1.4.3.36-7.oe2203sp3.aarch64.rpm 389-ds-base-debugsource-1.4.3.36-7.oe2203sp3.aarch64.rpm 389-ds-base-devel-1.4.3.36-7.oe2203sp3.aarch64.rpm 389-ds-base-help-1.4.3.36-7.oe2203sp3.aarch64.rpm 389-ds-base-legacy-tools-1.4.3.36-7.oe2203sp3.aarch64.rpm 389-ds-base-snmp-1.4.3.36-7.oe2203sp3.aarch64.rpm 389-ds-base-1.4.3.36-7.oe2203sp3.src.rpm 389-ds-base-1.4.3.36-7.oe2203sp3.x86_64.rpm 389-ds-base-debuginfo-1.4.3.36-7.oe2203sp3.x86_64.rpm 389-ds-base-debugsource-1.4.3.36-7.oe2203sp3.x86_64.rpm 389-ds-base-devel-1.4.3.36-7.oe2203sp3.x86_64.rpm 389-ds-base-help-1.4.3.36-7.oe2203sp3.x86_64.rpm 389-ds-base-legacy-tools-1.4.3.36-7.oe2203sp3.x86_64.rpm 389-ds-base-snmp-1.4.3.36-7.oe2203sp3.x86_64.rpm cockpit-389-ds-1.4.3.36-7.oe2203sp3.noarch.rpm python3-lib389-1.4.3.36-7.oe2203sp3.noarch.rpm An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data. 2024-09-20 CVE-2022-1949 openEuler-22.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N three-eight-nine-ds-base security update 2024-09-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2168 A denial of service vulnerability was found in the 389-ds-base LDAP server. This issue may allow an authenticated user to cause a server denial of service while attempting to log in with a user with a malformed hash in their password. 2024-09-20 CVE-2024-5953 openEuler-22.03-LTS-SP3 Medium 5.7 AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H three-eight-nine-ds-base security update 2024-09-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2168