CVE-2019-10224

NameCVE-2019-10224
DescriptionA flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3399-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
389-ds-base (PTS)jessie, jessie (lts)1.3.3.5-4+deb8u7fixed
stretch1.3.5.17-2fixed
buster (security), buster, buster (lts)1.4.0.21-1+deb10u1fixed
bullseye1.4.4.11-2fixed
bookworm2.3.1+dfsg1-1fixed
sid3.1.1+dfsg1-2fixed
python-lib389 (PTS)stretch1.0.2-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
389-ds-basesourcejessie(not affected)
389-ds-basesourcestretch(not affected)
389-ds-basesourcebuster1.4.0.21-1+deb10u1DLA-3399-1
389-ds-basesource(unstable)1.4.1.5-1
python-lib389source(unstable)(unfixed)

Notes

[stretch] - 389-ds-base <not-affected> (vulnerable code not present)
[jessie] - 389-ds-base <not-affected> (vulnerable code not present)
[stretch] - python-lib389 <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1677147
https://pagure.io/389-ds-base/issue/50251
https://pagure.io/389-ds-base/c/632ecb90d96ac0535656f5aaf67fd2be4b81d310

Search for package or bug name: Reporting problems