Date: Mon, 22 Aug 2016 10:16:30 +0200 From: Cedric Buissart <cbuissar@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2016-5404 freeipa: Insufficient privileges check in certificate revocation Patch for this incident is now upstream. For the master branch commit : https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=cf74584d0f772f3f5eccc1d30c001e4212a104fd Other branches have been fixed too. Regards, Cedric On Wed, Aug 17, 2016 at 7:30 PM, Cedric Buissart <cbuissar@...hat.com> wrote: > Hi, > > This is to disclose the following CVE: > > CVE-2016-5404 freeipa: Insufficient privileges check in certificate > revocation > > Description : > An insufficient permission check issue was found in the way IPA server > treats certificate revocation requests. An attacker logged in with the > 'retrieve certificate' permission enabled could use this flaw to revoke > certificates, possibly triggering a denial of service attack. > > All versions are affected. > > Patches can be found on the corresponding Red Hat Bugzilla: > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5404 > > Impact: Moderate > CVSS3 scoring : 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L > > Reported by: Fraser Tweedale (Red Hat) > > Best Regards, > > -- > Cedric Buissart, > Product Security > -- Cedric Buissart, Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ