389 Directory Server is vulnerable to search queries with malformed values in the servers/slapd/search.c:do_search() function. A malicious client could exploit this by sending crafted queries in a loop to cause a denial of service.
Created 389-ds-base tracking bugs for this issue: Affects: fedora-all [bug 1631695]
Sam, is there a upstream issue reference for this issue (and a commit reference)?
Hi, Correcting the needinfo. The assigned engineer is on leave and you should get an update early next week. Regards YOG.
Created attachment 1491956 [details] fix for v1.3.8.4 (1/2)
Created attachment 1491958 [details] additional regression fix for v1.3.8.4 (2/2)
Hi Salvatore, The fix has not been pushed upstream yet. You will find a proposed fix for v1.3.8.4 attachment (2 patches)
External References: https://pagure.io/389-ds-base/issue/49969
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3127 https://access.redhat.com/errata/RHSA-2018:3127
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2018:3507 https://access.redhat.com/errata/RHSA-2018:3507
Patches are attached to this bugzilla. For upstream fixes: Fixed in 1.4.0.18 : https://pagure.io/389-ds-base/c/a49bd03d6 https://pagure.io/389-ds-base/c/a6369790c For older branches: * 1.3.7 : https://pagure.io/389-ds-base/c/c8ec6e58c https://pagure.io/389-ds-base/c/722a6f867 * 1.3.8 : https://pagure.io/389-ds-base/c/5fc374b43 https://pagure.io/389-ds-base/c/bdb1af66c