Bug 979508 (CVE-2013-2219)

Summary: CVE-2013-2219 Directory Server: ACLs inoperative in some search scenarios
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: edewata, jbuchta, jgalipea, jkurik, lkrispen, mreynolds, msauton, nhosoi, nkinder, rmeggins, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130729,reported=20130627,source=redhat,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,rhel-6/389-ds-base=affected,directory_server_8/Server=affected,rhel-7/389-ds-base=notaffected,fedora-all/389-ds-base=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 979514, 979515, 979516, 989682, 989683    
Bug Blocks: 979512    
Attachments:
Description Flags
Patch none

Description Vincent Danen 2013-06-28 13:06:44 EDT
A flaw was found in how Red Hat Directory Server and the 389 Directory Server would handle access controls to certain attributes of an entry.  A user with access to the Directory Server could use a series of searches to guess the values of other attributes that they should not be able to see.  If a user had access (authenticated or anonymous, depending on whether or not the Directory Server allows anonymous access), they could use this to obtain information that should be restricted due to access controls.
Comment 2 Vincent Danen 2013-06-28 13:09:16 EDT
Acknowledgements:

This issue was discovered by Ludwig Krispenz of Red Hat.
Comment 5 Nathan Kinder 2013-06-28 17:18:49 EDT
*** Bug 979410 has been marked as a duplicate of this bug. ***
Comment 13 Vincent Danen 2013-07-29 13:34:35 EDT
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 989683]
Comment 14 errata-xmlrpc 2013-07-30 00:18:28 EDT
This issue has been addressed in following products:

  Red Hat Directory Server 8 for RHEL 5

Via RHSA-2013:1116 https://rhn.redhat.com/errata/RHSA-2013-1116.html
Comment 15 errata-xmlrpc 2013-07-30 13:01:34 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1119 https://rhn.redhat.com/errata/RHSA-2013-1119.html
Comment 16 Fedora Update System 2013-08-30 19:03:06 EDT
389-ds-base-1.3.1.7-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.