Synopsis: Moderate: 389-ds-base security, bug fix, and enhancement update Advisory ID: SLSA-2016:2594-2 Issue Date: 2016-11-03 CVE Numbers: CVE-2016-4992 CVE-2016-5416 CVE-2016-5405 -- The following packages have been upgraded to a newer upstream version: 389 -ds-base (1.3.5.10). Security Fix(es): * It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI (Access Control Instructions) could be read by an anonymous user. This could lead to leakage of sensitive information. (CVE-2016-5416) * An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not. (CVE-2016-4992) * It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries. (CVE-2016-5405) The CVE-2016-5416 issue was discovered by Viktor Ashirov (Red Hat); the CVE-2016-4992 issue was discovered by Petr Spacek (Red Hat) and Martin Basti (Red Hat); and the CVE-2016-5405 issue was discovered by William Brown (Red Hat). Additional Changes: -- SL7 x86_64 389-ds-base-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-debuginfo-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-devel-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-libs-1.3.5.10-11.el7.x86_64.rpm 389-ds-base-snmp-1.3.5.10-11.el7.x86_64.rpm - Scientific Linux Development Team