389-ds-1.3.4.14-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10157-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z 389-ds-1.3.4.14-1.2 on GA media These are all security issues fixed in the 389-ds-1.3.4.14-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10157 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2014-8105/ SUSE CVE CVE-2014-8105 page https://www.suse.com/security/cve/CVE-2014-8112/ SUSE CVE CVE-2014-8112 page https://www.suse.com/security/cve/CVE-2015-1854/ SUSE CVE CVE-2015-1854 page https://www.suse.com/security/cve/CVE-2015-3230/ SUSE CVE CVE-2015-3230 page openSUSE Tumbleweed 389-ds-1.3.4.14-1.2 389-ds-devel-1.3.4.14-1.2 389-ds-1.3.4.14-1.2 as a component of openSUSE Tumbleweed 389-ds-devel-1.3.4.14-1.2 as a component of openSUSE Tumbleweed 389 Directory Server before 1.3.2.27 and 1.3.3.x before 1.3.3.9 does not properly restrict access to the "cn=changelog" LDAP sub-tree, which allows remote attackers to obtain sensitive information from the changelog via unspecified vectors. CVE-2014-8105 openSUSE Tumbleweed:389-ds-1.3.4.14-1.2 openSUSE Tumbleweed:389-ds-devel-1.3.4.14-1.2 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-8105.html CVE-2014-8105 389 Directory Server 1.3.1.x, 1.3.2.x before 1.3.2.27, and 1.3.3.x before 1.3.3.9 stores "unhashed" passwords even when the nsslapd-unhashed-pw-switch option is set to off, which allows remote authenticated users to obtain sensitive information by reading the Changelog. CVE-2014-8112 openSUSE Tumbleweed:389-ds-1.3.4.14-1.2 openSUSE Tumbleweed:389-ds-devel-1.3.4.14-1.2 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-8112.html CVE-2014-8112 389 Directory Server before 1.3.3.10 allows attackers to bypass intended access restrictions and modify directory entries via a crafted ldapmodrdn call. CVE-2015-1854 openSUSE Tumbleweed:389-ds-1.3.4.14-1.2 openSUSE Tumbleweed:389-ds-devel-1.3.4.14-1.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-1854.html CVE-2015-1854 https://bugzilla.suse.com/929034 SUSE Bug 929034 389 Directory Server (formerly Fedora Directory Server) before 1.3.3.12 does not enforce the nsSSL3Ciphers preference when creating an sslSocket, which allows remote attackers to have unspecified impact by requesting to use a disabled cipher. CVE-2015-3230 openSUSE Tumbleweed:389-ds-1.3.4.14-1.2 openSUSE Tumbleweed:389-ds-devel-1.3.4.14-1.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3230.html CVE-2015-3230 https://bugzilla.suse.com/934934 SUSE Bug 934934