DescriptionA flaw has been found in 389-ds-base versions 1.4.x.x before When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
389-ds-base (PTS)stretch1.3.5.17-2fixed
bullseye, sid1.4.4.11-1fixed
python-lib389 (PTS)stretch1.0.2-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
389-ds-basesourcejessie(not affected)
389-ds-basesourcestretch(not affected)


[buster] - 389-ds-base <no-dsa> (Minor issue)
[stretch] - 389-ds-base <not-affected> (vulnerable code not present)
[jessie] - 389-ds-base <not-affected> (vulnerable code not present)
[stretch] - python-lib389 <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems