- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4021-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Andrej Shadura
January 19, 2025                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : 389-ds-base
Version        : 1.4.4.11-2+deb11u1
CVE ID         : CVE-2021-3652 CVE-2021-4091 CVE-2022-0918 CVE-2022-0996 
                 CVE-2022-2850 CVE-2024-2199 CVE-2024-3657 CVE-2024-5953 
                 CVE-2024-8445

This update fixes multiple vulnerabilities in 389-ds-base LDAP server.

CVE-2021-3652

    If an asterisk is imported as password hashes, either accidentally
    or maliciously, then instead of being inactive, any password will
    successfully match during authentication. This flaw allows an attacker
    to successfully authenticate as a user whose password was disabled.

CVE-2021-4091

    A double-free was found in the way 389-ds-base handles virtual
    attributes context in persistent searches. An attacker could send a
    series of search requests, forcing the server to behave unexpectedly,
    and crash.

CVE-2022-0918

    A vulnerability allows an unauthenticated attacker with network
    access to the LDAP port to cause a denial of service. The denial of
    service is triggered by a single message sent over a TCP connection,
    no bind or other authentication is required. The message triggers
    a segmentation fault that results in slapd crashing.

CVE-2022-0996

    A vulnerability allows expired passwords to access the database to
    cause improper authentication.

CVE-2022-2850

    When the content synchronization plugin is enabled, an authenticated
    user can reach a NULL pointer dereference using a specially
    crafted query. This flaw allows an authenticated attacker to cause
    a denial of service. This CVE is assigned against an incomplete fix
    of CVE-2021-3514.

CVE-2024-2199

    A denial of service vulnerability that may allow an authenticated
    user to cause a server crash while modifying `userPassword` using
    malformed input.

CVE-2024-3657

    A specially-crafted LDAP query can potentially cause a failure on
    the directory server, leading to a denial of service.

CVE-2024-5953

    This issue may allow an authenticated user to cause a server denial
    of service while attempting to log in with a user with a malformed
    hash in their password.

CVE-2024-8445

    The fix for CVE-2024-2199 in 389-ds-base was insufficient to cover
    all scenarios. In certain product versions, an authenticated user
    may cause a server crash while modifying `userPassword` using
    malformed input.

For Debian 11 bullseye, these problems have been fixed in version
1.4.4.11-2+deb11u1.

We recommend that you upgrade your 389-ds-base packages.

For the detailed security status of 389-ds-base please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/389-ds-base

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS