Security update for 389-ds SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1211-1 Final 1 1 2021-08-30T14:07:05Z current 2021-08-30T14:07:05Z 2021-08-30T14:07:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for 389-ds This update for 389-ds fixes the following issues: - Update to version 1.4.3.24 - CVE-2021-3652: Fixed crypt handling of locked accounts. (bsc#1188455) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1211 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2ABU3X6UN2T7T6CM6IV43OUZVX56S5O3/ E-Mail link for openSUSE-SU-2021:1211-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1188455 SUSE Bug 1188455 https://www.suse.com/security/cve/CVE-2021-3652/ SUSE CVE CVE-2021-3652 page openSUSE Leap 15.2 389-ds-1.4.3.24~git13.7b705e743-lp152.2.18.1 389-ds-devel-1.4.3.24~git13.7b705e743-lp152.2.18.1 389-ds-snmp-1.4.3.24~git13.7b705e743-lp152.2.18.1 lib389-1.4.3.24~git13.7b705e743-lp152.2.18.1 libsvrcore0-1.4.3.24~git13.7b705e743-lp152.2.18.1 389-ds-1.4.3.24~git13.7b705e743-lp152.2.18.1 as a component of openSUSE Leap 15.2 389-ds-devel-1.4.3.24~git13.7b705e743-lp152.2.18.1 as a component of openSUSE Leap 15.2 389-ds-snmp-1.4.3.24~git13.7b705e743-lp152.2.18.1 as a component of openSUSE Leap 15.2 lib389-1.4.3.24~git13.7b705e743-lp152.2.18.1 as a component of openSUSE Leap 15.2 libsvrcore0-1.4.3.24~git13.7b705e743-lp152.2.18.1 as a component of openSUSE Leap 15.2 A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled. CVE-2021-3652 openSUSE Leap 15.2:389-ds-1.4.3.24~git13.7b705e743-lp152.2.18.1 openSUSE Leap 15.2:389-ds-devel-1.4.3.24~git13.7b705e743-lp152.2.18.1 openSUSE Leap 15.2:389-ds-snmp-1.4.3.24~git13.7b705e743-lp152.2.18.1 openSUSE Leap 15.2:lib389-1.4.3.24~git13.7b705e743-lp152.2.18.1 openSUSE Leap 15.2:libsvrcore0-1.4.3.24~git13.7b705e743-lp152.2.18.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2ABU3X6UN2T7T6CM6IV43OUZVX56S5O3/ https://www.suse.com/security/cve/CVE-2021-3652.html CVE-2021-3652 https://bugzilla.suse.com/1188455 SUSE Bug 1188455