[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] 389-ds DoS due to improper handling of ger attr searches (CVE-2013-4485)
From:       Vincent Danen <vdanen () redhat ! com>
Date:       2013-11-21 15:15:07
Message-ID: 20131121151507.GP2523 () redhat ! com
[Download RAW message or body]

A flaw in how 389-ds-base and Red Hat Directory Server handled the
checking of access rights on entries using GER (Get Effective Rights), a
way to extend directory searches to also display what access rights a
user has to a specified entry.  When an attribute list is given in the
search request, and if there are several attributes whose names contain
the '@' character, 389-ds-base and Red Hat Directory Server would crash.
An attacker able to contact the server would be able to submit this type
of search request with no authentication required.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4485


(Obviously no CVE is required, posting here as this was previously sent
to the distros@ mailing list)

-- 
Vincent Danen / Red Hat Security Response Team 
[prev in list] [next in list] [prev in thread] [next in thread]