Bugzilla – Bug 1099465
VUL-0: CVE-2018-10871: 389-ds: replication and the Retro Changelog plugin store plaintext password by default
Last modified: 2020-04-11 22:50:22 UTC
By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores password in plaintext format in their respective changelog files.
An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.
It looks like there was a fix, but it had to be reverted as IPA breaks with it.
I want to point out, that the retrochangelog is not a default configuration item, so the risk to this CVE is minimal (unless you have IPA server install, where it requires this feature, but SUSE does not support IPA server).
The work around is:
SUSE-SU-2019:2155-1: An update that solves 8 vulnerabilities and has two fixes is now available.
Category: security (important)
Bug References: 1083689,1092187,1099465,1105606,1108674,1109609,1120189,1132385,1144797,991201
CVE References: CVE-2016-5416,CVE-2018-1054,CVE-2018-10871,CVE-2018-1089,CVE-2018-10935,CVE-2018-14638,CVE-2018-14648,CVE-2019-3883
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): 389-ds-126.96.36.199~git0.8a2d3de6f-4.14.1
SUSE Linux Enterprise Module for Server Applications 15 (src): 389-ds-188.8.131.52~git0.8a2d3de6f-4.14.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): 389-ds-184.108.40.206~git0.8a2d3de6f-4.14.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): 389-ds-220.127.116.11~git0.8a2d3de6f-4.14.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration:
This bug (1099465) was mentioned in
https://build.opensuse.org/request/show/793266 15.1 / 389-ds