Security update for 389-ds SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:2857-1 Final 1 1 2021-08-27T09:59:01Z current 2021-08-27T09:59:01Z 2021-08-27T09:59:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for 389-ds This update for 389-ds fixes the following issues: - Update to version 1.4.3.24 - CVE-2021-3652: Fixed crypt handling of locked accounts. (bsc#1188455) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-2857,SUSE-SLE-Module-Server-Applications-15-SP2-2021-2857 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20212857-1/ Link for SUSE-SU-2021:2857-1 https://lists.suse.com/pipermail/sle-security-updates/2021-August/009364.html E-Mail link for SUSE-SU-2021:2857-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1188455 SUSE Bug 1188455 https://www.suse.com/security/cve/CVE-2021-3652/ SUSE CVE CVE-2021-3652 page SUSE Linux Enterprise Module for Server Applications 15 SP2 389-ds-1.4.3.24~git13.7b705e743-3.19.1 389-ds-devel-1.4.3.24~git13.7b705e743-3.19.1 389-ds-snmp-1.4.3.24~git13.7b705e743-3.19.1 lib389-1.4.3.24~git13.7b705e743-3.19.1 libsvrcore0-1.4.3.24~git13.7b705e743-3.19.1 389-ds-1.4.3.24~git13.7b705e743-3.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 389-ds-devel-1.4.3.24~git13.7b705e743-3.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 lib389-1.4.3.24~git13.7b705e743-3.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 libsvrcore0-1.4.3.24~git13.7b705e743-3.19.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled. CVE-2021-3652 SUSE Linux Enterprise Module for Server Applications 15 SP2:389-ds-1.4.3.24~git13.7b705e743-3.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:389-ds-devel-1.4.3.24~git13.7b705e743-3.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:lib389-1.4.3.24~git13.7b705e743-3.19.1 SUSE Linux Enterprise Module for Server Applications 15 SP2:libsvrcore0-1.4.3.24~git13.7b705e743-3.19.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212857-1/ https://www.suse.com/security/cve/CVE-2021-3652.html CVE-2021-3652 https://bugzilla.suse.com/1188455 SUSE Bug 1188455