Security update for 389-ds

Announcement ID:	SUSE-SU-2024:3844-1
Release Date:	2024-10-31T08:50:28Z
Rating:	important
References:	bsc#1225512 bsc#1226277 bsc#1228912 bsc#1230852 bsc#1231462
Cross-References:	CVE-2024-2199 CVE-2024-3657 CVE-2024-5953
CVSS scores:	CVE-2024-2199 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-3657 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-3657 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-5953 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-5953 ( NVD ): 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	openSUSE Leap 15.6 Server Applications Module 15-SP6 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves three vulnerabilities and has two security fixes can now be installed.

Description:

This update for 389-ds fixes the following issues:

• Persist extracted key path for ldap_ssl_client_init over repeat invocations (bsc#1230852)
• Re-enable use of .dsrc basedn for dsidm commands (bsc#1231462)
• Update to version 2.2.10~git18.20ce9289:
• RFE: Use previously extracted key path
• Update dsidm to prioritize basedn from .dsrc over interactive input
• UI: Instance fails to load when DB backup directory doesn't exist
• Improve online import robustness when the server is under load
• Ensure all slapi_log_err calls end format strings with newline character \n
• RFE: when memberof is enabled, defer updates of members from the update of the group
• Provide more information in the error message during setup_ol_tls_conn()
• Wrong set of entries returned for some search filters
• Schema lib389 object is not keeping custom schema data upon editing
• UI: Fix audit issue with npm - micromatch
• Fix long delay when setting replication agreement with dsconf
• Changelog trims updates from a given RID even if a consumer has not received any of them
• test_password_modify_non_utf8 should set default password storage scheme
• Update Cargo.lock
• Rearrange includes for 32-bit support logic
• Fix fedora cop RawHide builds
• Bump braces from 3.0.2 to 3.0.3 in /src/cockpit/389-console
• Enabling replication for a sub suffix crashes browser
• d2entry - Could not open id2entry err 0 - at startup when having sub-suffixes
• Slow ldif2db import on a newly created BDB backend
• Audit log buffering doesn't handle large updates
• RFE: improve the performance of evaluation of filter component when tested against a large valueset (like group members)
• passwordHistory is not updated with a pre-hashed password
• ns-slapd crash in referint_get_config
• Fix the UTC offset print
• Fix OpenLDAP version autodetection
• RFE: add new operation note for MFA authentications
• Add log buffering to audit log
• Fix connection timeout error breaking errormap
• Improve dsidm CLI No Such Entry handling
• Improve connection timeout error logging
• Add hidden -v and -j options to each CLI subcommand
• Fix various issues with logconv.pl
• Fix certificate lifetime displayed as NaN
• Enhance Rust and JS bundling and add SPDX licenses for both
• Remove audit-ci from dependencies
• Fix unused variable warning from previous commit
• covscan: fix memory leak in audit log when adding entries
• Add a check for tagged commits
• dscreate ds-root - accepts relative path
• Change replica_id from str to int
• Attribute Names changed to lowercase after adding the Attributes
• ns-slapd crashes at startup if a backend has no suffix
• During an update, if the target entry is reverted in the entry cache, the server should not retry to lock it
• Reversion of the entry cache should be limited to BETXN plugin failures
• Disable Transparent Huge Pages
• Freelist ordering causes high wtime
• Security fix for CVE-2024-2199
• VUL-0: CVE-2024-3657: 389-ds: potential denial of service via specially crafted kerberos AS-REQ request (bsc#1225512)
• VUL-0: CVE-2024-5953: 389-ds: malformed userPassword hashes may cause a denial of service (bsc#1226277)
• 389ds crash when user does change password using iso-8859-1 encoding (bsc#1228912)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.6
  zypper in -t patch SUSE-2024-3844=1 openSUSE-SLE-15.6-2024-3844=1
• Server Applications Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP6-2024-3844=1

Package List:

• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
  • libsvrcore0-debuginfo-2.2.10~git18.20ce9289-150600.8.10.1
  • 389-ds-debuginfo-2.2.10~git18.20ce9289-150600.8.10.1
  • 389-ds-debugsource-2.2.10~git18.20ce9289-150600.8.10.1
  • libsvrcore0-2.2.10~git18.20ce9289-150600.8.10.1
  • 389-ds-snmp-2.2.10~git18.20ce9289-150600.8.10.1
  • 389-ds-devel-2.2.10~git18.20ce9289-150600.8.10.1
  • 389-ds-snmp-debuginfo-2.2.10~git18.20ce9289-150600.8.10.1
  • 389-ds-2.2.10~git18.20ce9289-150600.8.10.1
  • lib389-2.2.10~git18.20ce9289-150600.8.10.1
• Server Applications Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • libsvrcore0-debuginfo-2.2.10~git18.20ce9289-150600.8.10.1
  • 389-ds-debuginfo-2.2.10~git18.20ce9289-150600.8.10.1
  • 389-ds-debugsource-2.2.10~git18.20ce9289-150600.8.10.1
  • libsvrcore0-2.2.10~git18.20ce9289-150600.8.10.1
  • 389-ds-devel-2.2.10~git18.20ce9289-150600.8.10.1
  • 389-ds-2.2.10~git18.20ce9289-150600.8.10.1
  • lib389-2.2.10~git18.20ce9289-150600.8.10.1

References:

• https://www.suse.com/security/cve/CVE-2024-2199.html
• https://www.suse.com/security/cve/CVE-2024-3657.html
• https://www.suse.com/security/cve/CVE-2024-5953.html
• https://bugzilla.suse.com/show_bug.cgi?id=1225512
• https://bugzilla.suse.com/show_bug.cgi?id=1226277
• https://bugzilla.suse.com/show_bug.cgi?id=1228912
• https://bugzilla.suse.com/show_bug.cgi?id=1230852
• https://bugzilla.suse.com/show_bug.cgi?id=1231462