Bugzilla – Bug 1007004
VUL-0: CVE-2016-5405: 389-ds: Password verification vulnerable to timing attack
Last modified: 2018-12-03 02:36:15 UTC
via RH: It was found that 389 Directory Server is vulnerable to a remote password disclosure via timing attack. Due to the use of strcmp and memcmp in the verification of passwords and hashes, remote attacker is able to tell the difference between computation times which makes him able to retrieve the password after many tries. This affects systems storing passwords in plain text. Systems using unsalted hashes might be unsafe as well if using weak hash algorithms, however the attack would be very time-consuming. -- no further details just yet References: https://bugzilla.redhat.com/show_bug.cgi?id=1358865 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5405
bugbot adjusting priority
Howard, could I bother you for a maintenance update for Leap for these bugs? 991201,997256,1007004,1020670,1051997,1069067,1069074
This is an autogenerated message for OBS integration: This bug (1007004) was mentioned in https://build.opensuse.org/request/show/548604 42.2 / 389-ds
This is an autogenerated message for OBS integration: This bug (1007004) was mentioned in https://build.opensuse.org/request/show/554810 42.2 / 389-ds
releasing, done. Thanks Howard
openSUSE-SU-2017:3362-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1007004,1020670,1051997,1069067,1069074,997256 CVE References: CVE-2016-4992,CVE-2016-5405,CVE-2017-2668,CVE-2017-7551 Sources used: openSUSE Leap 42.3 (src): 389-ds-1.3.4.5-8.1 openSUSE Leap 42.2 (src): 389-ds-1.3.4.5-5.5.1
released