| Name | CVE-2019-10224 |
| Description | A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3399-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| 389-ds-base (PTS) | jessie, jessie (lts) | 1.3.3.5-4+deb8u7 | fixed |
| stretch | 1.3.5.17-2 | fixed | |
| buster (security), buster, buster (lts) | 1.4.0.21-1+deb10u1 | fixed | |
| bullseye | 1.4.4.11-2 | fixed | |
| bookworm | 2.3.1+dfsg1-1 | fixed | |
| sid, trixie | 3.1.1+dfsg1-2 | fixed | |
| python-lib389 (PTS) | stretch | 1.0.2-3 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| 389-ds-base | source | jessie | (not affected) | |||
| 389-ds-base | source | stretch | (not affected) | |||
| 389-ds-base | source | buster | 1.4.0.21-1+deb10u1 | DLA-3399-1 | ||
| 389-ds-base | source | (unstable) | 1.4.1.5-1 | |||
| python-lib389 | source | (unstable) | (unfixed) |
[stretch] - 389-ds-base <not-affected> (vulnerable code not present)
[jessie] - 389-ds-base <not-affected> (vulnerable code not present)
[stretch] - python-lib389 <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1677147
https://pagure.io/389-ds-base/issue/50251
https://pagure.io/389-ds-base/c/632ecb90d96ac0535656f5aaf67fd2be4b81d310