Security update for 389-ds

Announcement ID:	SUSE-SU-2021:1878-1
Rating:	moderate
References:	bsc#1185356
Cross-References:	CVE-2021-3514
CVSS scores:	CVE-2021-3514 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3514 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Server Applications Module 15-SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1

An update that solves one vulnerability can now be installed.

Description:

This update for 389-ds fixes the following issues:

• CVE-2021-3514: Fixed a sync_repl NULL pointer dereference in sync_create_state_control() (bsc#1185356)

389-ds was updated to version 1.4.3.23~git0.f53d0132b:

Bump version to 1.4.3.23:

• Issue 4725 - [RFE] DS - Update the password policy to support a Temporary Password Rules (#4727)
• Issue 4759 - Fix coverity issue (#4760)
• Issue 4656 - Fix cherry pick error around replication enabling
• Issue 4701 - RFE - Exclude attributes from retro changelog (#4723) (#4746)
• Issue 4742 - UI - should always use LDAPI path when calling CLI
• Issue 4667 - incorrect accounting of readers in vattr rwlock (#4732)
• Issue 4711 - SIGSEV with sync_repl (#4738)
• Issue 4649 - fix testcase importing ContentSyncPlugin
• Issue 2736 - Warnings from automatic shebang munging macro
• Issue 2736 - https://github.com/389ds/389-ds-base/issues/2736
• Issue 4706 - negative wtime in access log for CMP operations

Bump version to 1.4.3.22:

• Issue 4671 - UI - Fix browser crashes
• lib389 - Add ContentSyncPlugin class
• Issue 4656 - lib389 - fix cherry pick error
• Issue 4229 - Fix Rust linking
• Issue 4658 - monitor - connection start date is incorrect
• Issue 2621 - lib389 - backport ds_supports_new_changelog()
• Issue 4656 - Make replication CLI backwards compatible with role name change
• Issue 4656 - Remove problematic language from UI/CLI/lib389
• Issue 4459 - lib389 - Default paths should use dse.ldif if the server is down
• Issue 4663 - CLI - unable to add objectclass/attribute without x-origin

Bump version to 1.4.3.21:

• Issue 4169 - UI - updates on the tuning page are not reflected in the UI
• Issue 4588 - BUG - unable to compile without xcrypt (#4589)
• Issue 4513 - Fix replication CI test failures (#4557)
• Issue 4646 - CLI/UI - revise DNA plugin management
• Issue 4644 - Large updates can reset the CLcache to the beginning of the changelog (#4647)
• Issue 4649 - crash in sync_repl when a MODRDN create a cenotaph (#4652)
• Issue 4615 - log message when psearch first exceeds max threads per conn

Bump version to 1.4.3.20:

• Issue 4324 - Some architectures the cache line size file does not exist
• Issue 4593 - RFE - Print help when nsSSLPersonalitySSL is not found (#4614)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Server Applications Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-1878=1

Package List:

• Server Applications Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • 389-ds-1.4.3.23~git0.f53d0132b-3.15.1
  • libsvrcore0-1.4.3.23~git0.f53d0132b-3.15.1
  • 389-ds-devel-1.4.3.23~git0.f53d0132b-3.15.1
  • 389-ds-debuginfo-1.4.3.23~git0.f53d0132b-3.15.1
  • lib389-1.4.3.23~git0.f53d0132b-3.15.1
  • 389-ds-debugsource-1.4.3.23~git0.f53d0132b-3.15.1
  • libsvrcore0-debuginfo-1.4.3.23~git0.f53d0132b-3.15.1

References:

• https://www.suse.com/security/cve/CVE-2021-3514.html
• https://bugzilla.suse.com/show_bug.cgi?id=1185356