Candidate: CVE-2017-2591 PublicDate: 2018-04-30 12:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2591 https://fedorahosted.org/389/ticket/48986 Description: 389-ds-base before version 1.3.6 is vulnerable to an improperly NULL terminated array in the uniqueness_entry_to_config() function in the "attribute uniqueness" plugin of 389 Directory Server. An authenticated, or possibly unauthenticated, attacker could use this flaw to force an out-of-bound heap memory read, possibly triggering a crash of the LDAP service. Ubuntu-Description: Notes: leosilva> the project changed its site. That's the current one: https://pagure.io/389-ds-base leosilva> for commits from the older site, just copy the sha and paste with /c/ Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851769 Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH] Patches_389-ds-base: upstream: https://pagure.io/389-ds-base/c/ffda694dd622b31277da07be76d3469fad86150f upstream_389-ds-base: released (1.3.5.15-2) precise_389-ds-base: ignored (reached end-of-life) precise/esm_389-ds-base: DNE (precise was needs-triage) trusty_389-ds-base: not-affected (code not present) trusty/esm_389-ds-base: DNE (trusty was not-affected [code not present]) vivid/stable-phone-overlay_389-ds-base: DNE vivid/ubuntu-core_389-ds-base: DNE xenial_389-ds-base: ignored (end of standard support, was needed) yakkety_389-ds-base: ignored (reached end-of-life) zesty_389-ds-base: ignored (reached end-of-life) artful_389-ds-base: not-affected bionic_389-ds-base: not-affected cosmic_389-ds-base: not-affected (1.4.0.18-1) disco_389-ds-base: not-affected (1.4.0.18-1) eoan_389-ds-base: not-affected (1.4.0.18-1) focal_389-ds-base: not-affected (1.4.0.18-1) groovy_389-ds-base: not-affected (1.4.0.18-1) hirsute_389-ds-base: not-affected (1.4.0.18-1) impish_389-ds-base: not-affected (1.4.0.18-1) jammy_389-ds-base: not-affected (1.4.0.18-1) devel_389-ds-base: not-affected (1.4.0.18-1)