Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 979508 - (CVE-2013-2219) CVE-2013-2219 Directory Server: ACLs inoperative in some search scenarios
CVE-2013-2219 Directory Server: ACLs inoperative in some search scenarios
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
: 979410 (view as bug list)
Depends On: 979514 979515 979516 989682 989683
Blocks: 979512
  Show dependency treegraph
Reported: 2013-06-28 13:06 EDT by Vincent Danen
Modified: 2015-10-15 13:53 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch (3.58 KB, patch)
2013-07-22 14:27 EDT, Nathan Kinder
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1116 normal SHIPPED_LIVE Moderate: redhat-ds-base security and bug fix update 2013-07-30 04:16:30 EDT
Red Hat Product Errata RHSA-2013:1119 normal SHIPPED_LIVE Moderate: 389-ds-base security and bug fix update 2013-07-30 16:57:57 EDT

  None (edit)
Description Vincent Danen 2013-06-28 13:06:44 EDT
A flaw was found in how Red Hat Directory Server and the 389 Directory Server would handle access controls to certain attributes of an entry.  A user with access to the Directory Server could use a series of searches to guess the values of other attributes that they should not be able to see.  If a user had access (authenticated or anonymous, depending on whether or not the Directory Server allows anonymous access), they could use this to obtain information that should be restricted due to access controls.
Comment 2 Vincent Danen 2013-06-28 13:09:16 EDT

This issue was discovered by Ludwig Krispenz of Red Hat.
Comment 5 Nathan Kinder 2013-06-28 17:18:49 EDT
*** Bug 979410 has been marked as a duplicate of this bug. ***
Comment 13 Vincent Danen 2013-07-29 13:34:35 EDT
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 989683]
Comment 14 errata-xmlrpc 2013-07-30 00:18:28 EDT
This issue has been addressed in following products:

  Red Hat Directory Server 8 for RHEL 5

Via RHSA-2013:1116 https://rhn.redhat.com/errata/RHSA-2013-1116.html
Comment 15 errata-xmlrpc 2013-07-30 13:01:34 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1119 https://rhn.redhat.com/errata/RHSA-2013-1119.html
Comment 16 Fedora Update System 2013-08-30 19:03:06 EDT
389-ds-base- has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.