When using a sync_repl client, an authenticated attacker can cause a NULL pointer dereference using a specially crafted query, causing a crash of 389-ds-base. Upstream reference: https://github.com/389ds/389-ds-base/issues/4711
Acknowledgments: Name: Thierry Bordaz
Created 389-ds-base tracking bugs for this issue: Affects: fedora-all [bug 1952944]
Statement: Red Hat Identity Management is affected by this flaw
Upstream fixes : master: https://github.com/389ds/389-ds-base/commit/d7eef2fcfbab2ef8aa6ee0bf60f0a9b16ede66e0 1.4.3 : https://github.com/389ds/389-ds-base/commit/2e5b526012612d1d6ccace46398bee679a730271 1.4.4 : https://github.com/389ds/389-ds-base/commit/58dbf084a63e6dbbd999bf6a70475fad8255f26a
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2595 https://access.redhat.com/errata/RHSA-2021:2595
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3514
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2796 https://access.redhat.com/errata/RHSA-2021:2796
This issue has been addressed in the following products: Red Hat Directory Server 11.4 Via RHSA-2021:3955 https://access.redhat.com/errata/RHSA-2021:3955
This issue has been addressed in the following products: Red Hat Directory Server 11.3 for RHEL 8 Via RHSA-2022:0952 https://access.redhat.com/errata/RHSA-2022:0952