| Name | CVE-2016-5405 |
| Description | 389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstation 6 through 7 allows remote attackers to obtain user passwords. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 842121 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| 389-ds-base (PTS) | jessie, jessie (lts) | 1.3.3.5-4+deb8u7 | vulnerable |
| stretch | 1.3.5.17-2 | fixed |
| buster | 1.4.0.21-1 | fixed |
| buster (security) | 1.4.0.21-1+deb10u1 | fixed |
| bullseye | 1.4.4.11-2 | fixed |
| bookworm | 2.3.1+dfsg1-1 | fixed |
| trixie | 2.4.4+dfsg1-3 | fixed |
| sid | 2.4.5+dfsg1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| 389-ds-base | source | (unstable) | 1.3.5.15-1 | | | 842121 |
Notes
[jessie] - 389-ds-base <no-dsa> (minor issue)
This affects systems storing passwords in plain text.
Systems using unsalted hashes might be unsafe as well if using weak
hash algorithms, however the attack would be very time-consuming.
the patch for this CVE causes CVE-2017-15135