Your message dated Fri, 20 Jan 2023 22:07:28 +0000 with message-id <e1pizxk-005gja...@fasolo.debian.org> and subject line Bug#1016446: fixed in 389-ds-base 2.3.1-1 has caused the Debian Bug report #1016446, regarding 389-ds-base: CVE-2022-1949 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1016446: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016446 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: 389-ds-base X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for 389-ds-base. CVE-2022-1949[0]: | An access control bypass vulnerability found in 389-ds-base. That | mishandling of the filter that would yield incorrect results, but as | that has progressed, can be determined that it actually is an access | control bypass. This may allow any remote unauthenticated user to | issue a filter that allows searching for database items they do not | have access to, including but not limited to potentially userPassword | hashes and other sensitive data. https://bugzilla.redhat.com/show_bug.cgi?id=2091781 https://github.com/389ds/389-ds-base/issues/5170 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-1949 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1949 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: 389-ds-base Source-Version: 2.3.1-1 Done: Timo Aaltonen <tjaal...@debian.org> We believe that the bug you reported is fixed in the latest version of 389-ds-base, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1016...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Aaltonen <tjaal...@debian.org> (supplier of updated 389-ds-base package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 20 Jan 2023 23:15:49 +0200 Source: 389-ds-base Built-For-Profiles: noudeb Architecture: source Version: 2.3.1-1 Distribution: unstable Urgency: medium Maintainer: Debian FreeIPA Team <pkg-freeipa-de...@alioth-lists.debian.net> Changed-By: Timo Aaltonen <tjaal...@debian.org> Closes: 1000017 1010136 1016446 1018054 1028177 Changes: 389-ds-base (2.3.1-1) unstable; urgency=medium . * New upstream release. (Closes: #1028177) - CVE-2022-1949 (Closes: #1016446) - CVE-2022-2850 (Closes: #1018054) * watch: Updated to use releases instead of tags. * control: Add liblmdb-dev to build-depends. * control: Add libjson-c-dev to build-depends. * control: Build-depend on libpcre2-dev. (Closes: #1000017) * Build with rust enabled. * rules: Don't use a separate builddir for now. * 5610-fix-linking.diff: Fix linking libslapd.so. * dont-run-rpm.diff: Use dpkg-query to check for cockpit/firewalld. (Closes: #1010136) Checksums-Sha1: 02b00f5ea90944d59a4ebe0a14bee19fab13dcf2 2809 389-ds-base_2.3.1-1.dsc 7631b81cafbcd449b7656c85d882b3b0998f4e3a 14233869 389-ds-base_2.3.1.orig.tar.bz2 4abb25b277e0aa830fade5fcda3b7f09e1f6dd23 24536 389-ds-base_2.3.1-1.debian.tar.xz 6688d6007ea45c69a0d7821415cec3c10b037135 9850 389-ds-base_2.3.1-1_source.buildinfo Checksums-Sha256: 362f8987a2230b7830548e061c17824448be7a4a2567b53aec739ca69fafea01 2809 389-ds-base_2.3.1-1.dsc 07b976fea43b3d52c9d7420206668b13b379ed5c73b6f9a93f64af961ca68880 14233869 389-ds-base_2.3.1.orig.tar.bz2 64bdb2049c49ff70030d688bd11db6cb637fe5ab308de9c41511227a36c7bfae 24536 389-ds-base_2.3.1-1.debian.tar.xz 9ac1d81ffc806b06e9628dd6e89dcb189fbc65cf13b217fb2c43fd622fe6a4a3 9850 389-ds-base_2.3.1-1_source.buildinfo Files: c0bed452573e8becd896cd27b8164e5d 2809 net optional 389-ds-base_2.3.1-1.dsc fdde837156ebf4a56e564c5437245fcc 14233869 net optional 389-ds-base_2.3.1.orig.tar.bz2 d134610403804c831bd1e7cb15bb39d6 24536 net optional 389-ds-base_2.3.1-1.debian.tar.xz 80ad2c6ecb29e9c9f6c953139c3484e3 9850 net optional 389-ds-base_2.3.1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmPLBKwACgkQy3AxZaiJ hNyd+Q//ZTuw++2WpqCp+vlyYZKT/1VFz7ouHvD+h+KVJGXt6wHybGpxEimbeDhz Jhay4+tqDCpKQbeSOrxbc1mnO7poTs5b2F4kLEia9yBG/doFBRmxak4DfFUT9D5s A4vEVo/n/hEFnFNr2gA0R0ECCX/xokBOFqH2mfXIA2qR/AV94H7XXcHdpeD77iRI rmSuY80IEeffqMJ0lcZMyLyttR9N71Jyoljs+HOp7m+wmE9A0qpa+V/yV57fOcIK eG8iuQHCo08QOPBxYswU8fmw2cZ51Oe0xPugcIoSciV5vtg5a4r+SVHmrxfLZK2o qRJnLvxx8xNgbmHJoMnuKNg3nRLDrmpqfk4Zmh7eilZonB1Yy00MNdkXUYOkwbmy JcBinBDcFHKvlMkCU/pvMCDtneq32Iuldl0e5VVmwENGKW5PP2FIOK4Tw6XBtN7m ugBNo3ZJqQms0AUCN8zrbAvvaWF2ZUoIbrqLqeGnMu92gmOYZY18JIlHoD+r7z41 Zy9KgZTaOAxZfEs4VHZCkHnukmtF27hK6VOVtowNfRij2sp3wk7dOHsywWshFX3P JeiXw+jyET6iM/42objMw6RTTFtBi3AIk7WeHNcfHOMxCOoGGBwBVadLs5yhDMKf 4Bzj7g+Yy5Xlp0AmzT4qRt8ChMMA7hMqPV4kLklBNI2TMnxf/EQ= =RJw8 -----END PGP SIGNATURE-----
--- End Message ---
