[El-errata] ELSA-2016-2594 Moderate: Oracle Linux 7 389-ds-base security, bug fix, and enhancement update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Nov 10 11:09:09 PST 2016 

Oracle Linux Security Advisory ELSA-2016-2594

http://linux.oracle.com/errata/ELSA-2016-2594.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
389-ds-base-1.3.5.10-11.el7.x86_64.rpm
389-ds-base-devel-1.3.5.10-11.el7.x86_64.rpm
389-ds-base-libs-1.3.5.10-11.el7.x86_64.rpm
389-ds-base-snmp-1.3.5.10-11.el7.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/389-ds-base-1.3.5.10-11.el7.src.rpm



Description of changes:

[1.3.5.10-11]
- Release 1.3.5.10-11
- Resolves: bug 1321124 - Replication changelog can incorrectly skip 
over updates

[1.3.5.10-10]
- Release 1.3.5.10-10
- Resolves: bug 1370300 - set proper update status to replication 
agreement in case of failure (DS 48957)
- Resolves: bug 1209094 - Allow logging of rejected changes (DS 48969)

[1.3.5.10-9]
- Release 1.3.5.10-9
- Resolves: bug 1364190 - Change example in /etc/sysconfig/dirsrv to use 
tcmalloc (DS 48950)
- Resolves: bug 1366828 - audit on failure doesn't work if attribute 
nsslapd-auditlog-logging-enabled is NOT enabled (DS 48958)
- Resolves: bug 1368520 - Crash in import_wait_for_space_in_fifo() (DS 
48960)
- Resolves: bug 1368956 - man page of ns-accountstatus.pl shows 
redundant entries for -p port option
- Resolves: bug 1369537 - passwordMinAge attribute doesn't limit the 
minimum age of the password (DS 48967)
- Resolves: bug 1369570 - cleanallruv changelog cleaning incorrectly 
impacts all backends (DS 48964)
- Resolves: bug 1369425 - ACI behaves erratically (DS 48972)
- Resolves: bug 1370300 - set proper update status to replication 
agreement in case of failure (DS 48957)
- Resolves: bug 1209094 - Allow logging of rejected changes (DS 48969)
- Resolves: bug 1371283 - Server Side Sorting crashes the server. (DS 48970)
- Resolves: bug 1371284 - Disabling CLEAR password storage scheme will 
crash server when setting a password (DS 48975)

[1.3.5.10-8]
- Release 1.3.5.10-8
- Resolves: bug 1321124 - Replication changelog can incorrectly skip 
over updates (DS 48954)
- Resolves: bug 1364190 - Change example in /etc/sysconfig/dirsrv to use 
tcmalloc (DS 48950)
- Resolves: bug 1366561 - ns-accountstatus.pl giving error even "No such 
object (32)" (DS 48956)

[1.3.5.10-7]
- Release 1.3.5.10-7
- Resolves: bug 1316580 - dirsrv service doesn't ask for pin when 
pin.txt is missing (DS 48450)
- Resolves: bug 1360976 - fixing a compiler warning

[1.3.5.10-6]
- Release 1.3.5.10-6
- Resolves: bug 1326077 - Page result search should return empty cookie 
if there is no returned entry (DS 48928)
- Resolves: bug 1360447 - nsslapd-workingdir is empty when ns-slapd is 
started by systemd (DS 48939)
- Resolves: bug 1360327 - remove-ds.pl deletes an instance even if wrong 
prefix was specified (DS 48934)
- Resolves: bug 1349815 - DS logs have warning:ancestorid not indexed 
for all CS subsystems (DS 48940)
- Resolves: bug 1329061 - 389-ds-base-1.3.4.0-29.el7_2 "hang" (DS 48882)
- Resolves: bug 1360976 - EMBARGOED CVE-2016-5405 389-ds-base: Password 
verification vulnerable to timing attack
- Resolves: bug 1361134 - When fine-grained policy is applied, a 
sub-tree has a priority over a user while changing password (DS 48943)
- Resolves: bug 1361321 - Duplicate collation entries (DS 48936)
- Resolves: bug 1316580 - dirsrv service doesn't ask for pin when 
pin.txt is missing (DS 48450)
- Resolves: bug 1350799 - CVE-2016-4992 389-ds-base: Information 
disclosure via repeat

[1.3.5.10-5]
- Release 1.3.5.10-5
- Resolves: bug 1333184 - (389-ds-base-1.3.5) Fixing coverity issues. 
(DS 48919)

[1.3.5.10-4]
- Release 1.3.5.10-4
- Resolves: bug 1209128 - [RFE] Add a utility to get the status of 
Directory Server instances (DS 48144)
- Resolves: bug 1333184 - (389-ds-base-1.3.5) Fixing coverity issues. 
(DS 48919)
- Resolves: bug 1350799 - CVE-2016-4992 389-ds-base: Information 
disclosure via repeat
- Resolves: bug 1354660 - flow control in replication also blocks 
receiving results (DS 48767)
- Resolves: bug 1356261 - Fixup tombstone task needs to set proper flag 
when updating (DS 48924)
- Resolves: bug 1355760 - ns-slapd crashes during the deletion of 
backend (DS 48922)
- Resolves: bug 1353629 - DS shuts down automatically if dnaThreshold is 
set to 0 in a MMR setup (DS 48916)
- Resolves: bug 1355879 - nunc-stans: ns-slapd crashes during startup 
with SIGILL on AMD Opteron 280 (DS 48925)

[1.3.5.10-3]
- Release 1.3.5.10-3
- Resolves: bug 1354374 - Fixing the tarball version in the sources file.

[1.3.5.10-2]
- Release 1.3.5.10-2
- Resolves: bug 1353714 - If a cipher is disabled do not attempt to look 
it up (DS 48743)
- Resolves: bug 1353592 - Setup-ds.pl --update fails - regression (DS 48755)
- Resolves: bug 1353544 - db2bak.pl task enters infinitive loop when bak 
fs is almost full (DS 48914)
- Resolves: bug 1354374 - Upgrade to 389-ds-base >= 1.3.5.5 doesn't 
install 389-ds-base-snmp (DS 48918)

[1.3.5.10-1]
- Release 1.3.5.10-1
- Resolves: bug 1333184 - (389-ds-base-1.3.5) Fixing coverity issues. 
(DS 48905)

[1.3.5.9-1]
- Release 1.3.5.9-1
- Resolves: bug 1349571 - Improve MMR replication convergence (DS 48636)
- Resolves: bug 1304682 - "stale" automember rule (associated to a 
removed group) causes discrepancies in the database (DS 48637)
- Resolves: bug 1314956 - moving an entry cause next on-line init to 
skip entry has no parent, ending at line 0 of file "(bulk import)" (DS 
48755)
- Resolves: bug 1316731 - syncrepl search returning error 329; plugin 
sending a bad error code (DS 48904)
- Resolves: bug 1346741 - ns-slapd crashes during the shutdown after 
adding attribute with a matching rule  (DS 48891)
- Resolves: bug 1349577 - Values of dbcachetries/dbcachehits in 
cn=monitor could overflow. (DS 48899)
- Resolves: bug 1272682 - nunc-stans: ns-slapd killed by SIGABRT (DS 48898)
- Resolves: bug 1346043 - repl-monitor displays colors incorrectly for 
the time lag > 60 min (DS 47538)
- Resolves: bug 1350632 - ns-slapd shutdown crashes if pwdstorageschema 
name is from stack. (DS 48902)

[1.3.5.8-1]
- Release 1.3.5.8-1
- Resolves: bug 1290101 - proxyauth support does not work when bound as 
directory  manager (DS 48366)

[1.3.5.7-1]
- Release 1.3.5.7-1
- Resolves: bug 1196282 - substring index with nssubstrbegin: 1 is not 
being used with filters like (attr=x*) (DS 48109)
- Resolves: bug 1303794 - Import readNSState.py from RichM's repo (DS 48449)
- Resolves: bug 1290101 - proxyauth support does not work when bound as 
directory  manager (DS 48366)
- Resolves: bug 1338872 - Wrong result code display in audit-failure log 
(DS 48892)
- Resolves: bug 1346043 - repl-monitor displays colors incorrectly for 
the time lag > 60 min (DS 47538)
- Resolves: bug 1346741 - ns-slapd crashes during the shutdown after 
adding attribute with a matching rule  (DS 48891)
- Resolves: bug 1347407 - By default aci can be read by anonymous (DS 48354)
- Resolves: bug 1347412 - cn=SNMP,cn=config entry can be read by 
anonymous (DS 48893)

[1.3.5.6-1]
- Release 1.3.5.6-1
- Resolves: bug 1273549 - [RFE] Improve timestamp resolution in logs (DS 
47982)
- Resolves: bug 1321124 - Replication changelog can incorrectly skip 
over updates (DS 48766, DS 48636)
- Resolves: bug 1233926 - "matching rules" in ACI's "bind rules not 
fully evaluated (DS 48234)
- Resolves: bug 1346165 - 389-ds-base-1.3.5.5-1.el7.x86_64 requires 
policycoreutils-py

[1.3.5.5-1]
- Release 1.3.5.5-1
- Resolves: bug 1018944 - [RFE] Enhance password change tracking (DS 48833)
- Resolves: bug 1344414 - [RFE] adding pre/post extop ability (DS 48880)
- Resolves: bug 1303794 - Import readNSState.py from RichM's repo (DS 48449)
- Resolves: bug 1257568 - /usr/lib64/dirsrv/libnunc-stans.so is owned by 
both -libs and -devel (DS 48404)
- Resolves: bug 1314956 - moving an entry cause next on-line init to 
skip entry has no parent, ending at line 0 of file "(bulk import)" (DS 
48755)
- Resolves: bug 1342609 - At startup DES to AES password conversion 
causes timeout in start script (DS 48862)
- Resolves: bug 1316328 - search returns no entry when OR filter 
component contains non readable attribute (DS 48275)
- Resolves: bug 1280456 - setup-ds should detect if port is already 
defined (DS 48336)
- Resolves: bug 1312557 - dirsrv service fails to start when 
nsslapd-listenhost is configured (DS 48747)
- Resolves: bug 1326077 - Page result search should return empty cookie 
if there is no returned entry (DS 48752)
- Resolves: bug 1340307 - Running db2index with no options breaks 
replication (DS 48854)
- Resolves: bug 1337195 - Regression introduced in matching rules by DS 
48746 (DS 48844)
- Resolves: bug 1335492 - Modifier's name is not recorded in the audit 
log with modrdn and moddn operations (DS 48834)
- Resolves: bug 1316741 - ldctl should support -H with ldap uris (DS 48754)

[1.3.5.4-1]
- release 1.3.5.4-1
- Resolves: bug 1334455 - db2ldif is not taking into account multiple 
suffixes or backends (DS 48828)
- Resolves: bug 1241563 - The "repl-monitor" web page does not display 
"year" in date. (DS 48220)
- Resolves: bug 1335618 - Server ram sanity checks work in isolation (DS 
48617)
- Resolves: bug 1333184 - (389-ds-base-1.3.5) Fixing coverity issues. 
(DS 48837)

[1.3.5.3-1]
- release 1.3.5.3-1
- Resolves: bug 1209128 - [RFE] Add a utility to get the status of 
Directory Server instances (DS 48144)
- Resolves: bug 1332533 - ns-accountstatus.pl gives error message on 
execution along with results. (DS 48815)
- Resolves: bug 1332709 - password history is not updated when an admin 
resets the password (DS 48813)
- Resolves: bug 1333184 - (389-ds-base-1.3.5) Fixing coverity issues. 
(DS 48822)
- Resolves: bug 1333515 - Enable DS to offer weaker DH params in NSS 
(DS 48798)

[1.3.5.2-1]
- release 1.3.5.2-1
- Resolves: bug 1270020 - Rebase 389-ds-base to 1.3.5 in RHEL-7.3
- Resolves: bug 1288229 - many attrlist_replace errors in connection 
with cleanallruv (DS 48283)
- Resolves: bug 1315893 - License tag does not match actual license of 
code (DS 48757)
- Resolves: bug 1320715 - DES to AES password conversion fails if a 
backend is empty (DS 48777)
- Resolves: bug 190862  - [RFE] Default password syntax settings don't 
work with fine-grained policies (DS 142)
- Resolves: bug 1018944 - [RFE] Enhance password change tracking (DS 548)
- Resolves: bug 1143066 - The dirsrv user/group should be created in rpm 
%pre, and ideally with fixed uid/gid (DS 48285)
- Resolves: bug 1153758 - [RFE] Support SASL/GSSAPI when ns-slapd is 
behind a load-balancer (DS 48332)
- Resolves: bug 1160902 - search, matching rules and filter error 
"unsupported type 0xA9" (DS 48016)
- Resolves: bug 1186512 - High memory fragmentation observed in 
ns-slapd; OOM-Killer invoked (DS 48377, 48129)
- Resolves: bug 1196282 - substring index with nssubstrbegin: 1 is not 
being used with filters like (attr=x*) (DS 48109)
- Resolves: bug 1209094 - [RFE] Allow logging of rejected changes (DS 
48145, 48280)
- Resolves: bug 1209128 - [RFE] Add a utility to get the status of 
Directory Server instances (DS 48144)
- Resolves: bug 1210842 - [RFE] Add PIDFile option to systemd service 
file (DS 47951)
- Resolves: bug 1223510 - [RFE] it could be nice to have 
nsslapd-maxbersize default to bigger than 2Mb (DS 48326)
- Resolves: bug 1229799 - ldclt-bin killed by SIGSEGV (DS 48289)
- Resolves: bug 1249908 - No validation check for the value for 
nsslapd-db-locks. (DS 48244)
- Resolves: bug 1254887 - No man page entry for - option '-u' of 
dbgen.pl for adding group entries with uniquemembers (DS 48290)
- Resolves: bug 1255557 - db2index creates index entry from deleted 
records (DS 48252)
- Resolves: bug 1258610 - total update request must not be lost (DS 48255)
- Resolves: bug 1258611 - dna plugin needs to handle binddn groups for 
authorization (DS 48258)
- Resolves: bug 1259624 - [RFE] Provide a utility to detect accounts 
locked due to inactivity (DS 48269)
- Resolves: bug 1259950 - Add config setting to MemberOf Plugin to add 
required objectclass got memberOf attribute (DS 48267)
- Resolves: bug 1266510 - Linked Attributes plug-in - wrong behaviour 
when adding valid and broken links (DS 48295)
- Resolves: bug 1266532 - Linked Attributes plug-in - won't update links 
after MODRDN operation (DS 48294)
- Resolves: bug 1267750 - pagedresults - when timed out, search results 
could have been already freed. (DS 48299)
- Resolves: bug 1269378 - ds-logpipe.py with wrong arguments - python 
exception in the output (DS 48302)
- Resolves: bug 1271330 - nunc-stans: Attempt to release connection that 
is not acquired (DS 48311)
- Resolves: bug 1272677 - nunc stans: ns-slapd killed by SIGTERM
- Resolves: bug 1272682 - nunc-stans: ns-slapd killed by SIGABRT
- Resolves: bug 1273142 - crash in Managed Entry plugin (DS 48312)
- Resolves: bug 1273549 - [RFE] Improve timestamp resolution in logs (DS 
47982)
- Resolves: bug 1273550 - Deadlock between two MODs on the same entry 
between entry cache and backend lock (DS 47978)
- Resolves: bug 1273555 - deadlock in mep delete post op (DS 47976)
- Resolves: bug 1273584 - lower password history minimum to 1 (DS 48394)
- Resolves: bug 1275763 - [RFE] add setup-ds.pl option to disable 
instance specific scripts (DS 47840)
- Resolves: bug 1276072 - [RFE] Allow RHDS to be setup using a DNS CNAME 
alias for General.FullMachineName (DS 48328)
- Resolves: bug 1278567 - SimplePagedResults -- abandon could happen 
between the abandon check and sending results (DS 48338)
- Resolves: bug 1278584 - Share nsslapd-threadnumber in the case 
nunc-stans is enabled, as well. (DS 48339)
- Resolves: bug 1278755 - deadlock on connection mutex (DS 48341)
- Resolves: bug 1278987 - Cannot upgrade a consumer to supplier in a 
multimaster environment (DS 48325)
- Resolves: bug 1280123 - acl - regression - trailing ', (comma)' in 
macro matched value is not removed. (DS 48344)
- Resolves: bug 1290111 - [RFE] Support for rfc3673 '+' to return 
operational attributes (DS 48363)
- Resolves: bug 1290141 - With exhausted range, part of DNA shared 
configuration is deleted after server restart (DS 48362)
- Resolves: bug 1290242 - SimplePagedResults -- in the search error 
case, simple paged results slot was not released. (DS 48375)
- Resolves: bug 1290600 - The 'eq' index does not get updated properly 
when deleting and re-adding attributes in the same ldapmodify operation 
(DS 48370)
- Resolves: bug 1295947 - 389-ds hanging after a few minutes of 
operation (DS 48406, revert 48338)
- Resolves: bug 1296310 - ldclt - segmentation fault error while binding 
(DS 48400)
- Resolves: bug 1299758 - CVE-2016-0741 389-ds-base: Worker threads do 
not detect abnormally closed connections causing DoS [rhel-7.3]
- Resolves: bug 1301097 - logconv.pl displays negative operation speeds 
(DS 48446)
- Resolves: bug 1302823 - Crash in slapi_get_object_extension (DS 48536)
- Resolves: bug 1303641 - heap corruption at schema replication. (DS 48492)
- Resolves: bug 1307151 - keep alive entries can break replication (DS 
48445)
- Resolves: bug 1310848 - Supplier can skip a failing update, although 
it should retry. (DS 47788)
- Resolves: bug 1314557 - change severity of some messages related to 
"keep alive" enties (DS 48420)
- Resolves: bug 1316580 - dirsrv service doesn't ask for pin when 
pin.txt is missing (DS 48450)
- Resolves: bug 1316742 - no plugin calls in tombstone purging (DS 48759)
- Resolves: bug 1319329 - [RFE] add nsslapd-auditlog-logging-enabled: 
off to template-dse.ldif (DS 48145)
- Resolves: bug 1320295 - If nsSSL3 is on, even if SSL v3 is not really 
enabled, a confusing message is logged. (DS 48775)
- Resolves: bug 1326520 - db2index uses a buffer size derived from 
dbcachesize (DS 48383)
- Resolves: bug 1328936 - objectclass values could be dropped on the 
consumer (DS 48799)
- Resolves: bug 1287475 - [RFE] response control for password age should 
be sent by default by RHDS (DS 48369)
- Resolves: bug 1331343 - Paged results search returns the blank list of 
entries (DS 48808)

More information about the El-errata mailing list