A flaw was found in how Red Hat Directory Server and the 389 Directory Server would handle access controls to certain attributes of an entry. A user with access to the Directory Server could use a series of searches to guess the values of other attributes that they should not be able to see. If a user had access (authenticated or anonymous, depending on whether or not the Directory Server allows anonymous access), they could use this to obtain information that should be restricted due to access controls.
Acknowledgements: This issue was discovered by Ludwig Krispenz of Red Hat.
*** Bug 979410 has been marked as a duplicate of this bug. ***
Created 389-ds-base tracking bugs for this issue: Affects: fedora-all [bug 989683]
This issue has been addressed in following products: Red Hat Directory Server 8 for RHEL 5 Via RHSA-2013:1116 https://rhn.redhat.com/errata/RHSA-2013-1116.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1119 https://rhn.redhat.com/errata/RHSA-2013-1119.html
389-ds-base-1.3.1.7-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.