It was reported that nsSSL3Ciphers preference is not enforced server side, this allows for a potential downgrade attack to take place. Upstream bug report: https://fedorahosted.org/389/ticket/48194
This flaw was caused by the following fix applied to 389-ds-base: https://fedorahosted.org/389/ticket/47838
Created 389-ds-base tracking bugs for this issue: Affects: fedora-all [bug 1232896]
As noted in comment 2, this flaw was introduced as part of the fixes for issues tracked via upstream bug noted in comment 2, applied upstream via the following commits (plus few related commits updating test suite and correcting mistakes): https://fedorahosted.org/389/changeset/13c0d2f7b7850676042fe05c917a7d498135324f/ https://fedorahosted.org/389/changeset/5f3c87e1380e56d76d4a4bef3af07633a8589891/ https://fedorahosted.org/389/changeset/c6febe325a1b5a0e4f7e7e59bcc076c9e4a3b825/ This issue was corrected via the following commit: https://fedorahosted.org/389/changeset/53c9c4e84e3bcbc40de87b1e7cf7634d14599e1c/ The regression form upstream ticket 47838 was introduced to Red Hat Enterprise Linux 7 via RHSA-2015:0416, released as part of Red Hat Enterprise Linux 7.1, which updated 389-ds-base packages to upstream version 1.3.3. Changes that introduced this flaw have not been added to 389-ds-base packages in Red Hat Enterprise Linux 6.
In Red Hat Enterprise Linux 7, this issue was already corrected via RHBA-2015:1554: https://rhn.redhat.com/errata/RHBA-2015-1554.html Statement: This issue was correct in Red Hat Enterprise Linux 7 via RHBA-2015:1554. It did not affect the versions of 389-ds-base as shipped with Red Hat Enterprise Linux 6.