DescriptionA flaw has been found in 389-ds-base versions 1.4.x.x before When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
389-ds-base (PTS)buster1.4.0.21-1vulnerable
bookworm, sid2.3.1+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
389-ds-basesourcejessie(not affected)
389-ds-basesourcestretch(not affected)


[buster] - 389-ds-base <no-dsa> (Minor issue)
[stretch] - 389-ds-base <not-affected> (vulnerable code not present)
[jessie] - 389-ds-base <not-affected> (vulnerable code not present)
[stretch] - python-lib389 <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems