CVE-2024-8445

NameCVE-2024-8445
DescriptionThe fix for CVE-2024-2199 in 389-ds-base was insufficient to cover all scenarios. In certain product versions, an authenticated user may cause a server crash while modifying `userPassword` using malformed input.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4021-1
Debian Bugs1082852

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
389-ds-base (PTS)bullseye1.4.4.11-2vulnerable
bullseye (security)1.4.4.11-2+deb11u1fixed
bookworm2.3.1+dfsg1-1+deb12u1fixed
sid, trixie3.1.2+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
389-ds-basesourcebullseye1.4.4.11-2+deb11u1DLA-4021-1
389-ds-basesource(unstable)2.0.11-11082852

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=2310110
CVE exists because of an insufficent/incomplete fix for CVE-2024-2199
The precise details are not public, but this wasn't backported to any supported
branch after 1.x, so marking the first 2.x upload as the fixed version
Search for package or bug name: Reporting problems