Source: 389-ds-base Version: 1.4.0.22-1 Severity: important Tags: security upstream Forwarded: https://pagure.io/389-ds-base/issue/50329 Control: found -1 1.4.0.21-1
Hi, The following vulnerability was published for 389-ds-base. CVE-2019-3883[0]: | In 389-ds-base up to version 1.4.1.2, requests are handled by workers | threads. Each sockets will be waited by the worker for at most | 'ioblocktimeout' seconds. However this timeout applies only for un- | encrypted requests. Connections using SSL/TLS are not taking this | timeout into account during reads, and may hang longer.An | unauthenticated attacker could repeatedly create hanging LDAP requests | to hang all the workers, resulting in a Denial of Service. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-3883 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3883 [1] https://pagure.io/389-ds-base/issue/50329 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

