It was found that 389 Directory Server is vulnerable to a remote password disclosure via timing attack. Due to the use of strcmp and memcmp in the verification of passwords and hashes, remote attacker is able to tell the difference between computation times which makes him able to retrieve the password after many tries. This affects systems storing passwords in plain text. Systems using unsalted hashes might be unsafe as well if using weak hash algorithms, however the attack would be very time-consuming.
Acknowledgments: Name: William Brown (Red Hat)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2594 https://rhn.redhat.com/errata/RHSA-2016-2594.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:2765 https://rhn.redhat.com/errata/RHSA-2016-2765.html