Skip to navigation

Security Advisory Moderate: adminutil security update

Advisory: RHSA-2008:0601-2
Type: Security Advisory
Severity: Moderate
Issued on: 2008-08-27
Last updated on: 2008-08-27
Affected Products: Red Hat Directory Server v8 EL4
Red Hat Directory Server v8 EL5
CVEs (cve.mitre.org): CVE-2008-2929

Details

An updated adminutil package that fixes a security issue is now available
for Red Hat Directory Server 8.0.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Red Hat Directory Server is an LDAPv3-compliant server. The adminutil
packages is collection of function libraries used to administer directory
servers, usually in conjunction with the Administration Server.

The Directory Server Administration Express web interface incorrectly
parsed %-escaped user provided values. A remote attacker could use this
flaw to conduct cross-site scripting attacks against directory server
administrators using the Administration Express web interface.
(CVE-2008-2929)

All users of Red Hat Directory Server should upgrade to this updated
adminutil packages, which resolve this issue.


Solution

This update is available via Red Hat Network.

Users running Red Hat Directory Server 8 on Red Hat Enterprise Linux should
consult the following Knowledge Base article for instruction on how to
install updated RPM packages: http://kbase.redhat.com/faq/FAQ_58_10188

Users running Red Hat Directory Server 8 on Solaris can download updated
Solaris packages in the PKG format form the Red Hat Directory Server 8.0
Solaris channel on the Red Hat Network. Those packages need to be
installed/upgraded using Solaris native package management tools.

See also Red Hat Directory Server 8.0 Installation Guide for installation
instructions: http://www.redhat.com/docs/manuals/dir-server/install/8.0/

Updated packages

Red Hat Directory Server v8 EL4

SRPMS:
adminutil-1.1.7-3.el4dsrv.src.rpm
File outdated by:  RHEA-2009:0455
    MD5: cea73efe4942fa4e90755cca81b43c71
 
IA-32:
adminutil-1.1.7-3.el4dsrv.i386.rpm
File outdated by:  RHEA-2009:0455
    MD5: febe5ea306f809dc6a3199d11e416d4b
adminutil-devel-1.1.7-3.el4dsrv.i386.rpm
File outdated by:  RHEA-2009:0455
    MD5: c907290c0561a77585f4e5375f786720
 
x86_64:
adminutil-1.1.7-3.el4dsrv.x86_64.rpm
File outdated by:  RHEA-2009:0455
    MD5: 060a41614dd67a102225147cbe1e3f41
adminutil-devel-1.1.7-3.el4dsrv.x86_64.rpm
File outdated by:  RHEA-2009:0455
    MD5: abb0faeaa57cd8d778631bf4097ae65d
 
Red Hat Directory Server v8 EL5

SRPMS:
adminutil-1.1.7-3.el5dsrv.src.rpm
File outdated by:  RHSA-2013:0549
    MD5: f8744c1785c1b75a6366c04de2e54ffd
 
IA-32:
adminutil-1.1.7-3.el5dsrv.i386.rpm
File outdated by:  RHSA-2013:0549
    MD5: 98fccd740dbcf2bd5200b875b37a53d5
adminutil-devel-1.1.7-3.el5dsrv.i386.rpm
File outdated by:  RHSA-2013:0549
    MD5: 3c93f10ac2c9750169bf6f89444ffcc1
 
x86_64:
adminutil-1.1.7-3.el5dsrv.x86_64.rpm
File outdated by:  RHSA-2013:0549
    MD5: 93d3919979eac357600cd49fc9cdad35
adminutil-devel-1.1.7-3.el5dsrv.x86_64.rpm
File outdated by:  RHSA-2013:0549
    MD5: 1b693a99c0121a0be451c48b6f2d83d5
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

454621 - CVE-2008-2929 Directory Server: multiple XSS issues


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/