389 Directory Server 1.4.0.14 and 1.3.8.7

Two new versions of the 389 Directory Server have been released.

The 1.4.0.14 release addresses several issues, including fixing a crash that could arise from a request that includes the server-side sort request control, improved logging for internal operations, and updates to the management interfaces.

The 1.3.8.7 release is smaller and the main issue addressed is the fix for the server-side sort crash issue.

389 Directory Server 1.4.0.13 and 1.3.8.6

Two new versions of the 389 Directory Server have been released.

The 1.4.0.13 release looks like the more significant of the two, adding support for SASL authentication in the CLI and other user interface, and ensuring that certain filesystem directories get created at startup, in addition to backing out a security fix introduced in the recent 1.4.0.12 release that deals with unhashed passwords after it created an issue with FreeIPA.

The 1.3.8.6 release is smaller and only seems to be an update to the recent 1.3.8.5 release that backs out the same security fix that was reverted in the 1.4.0.13 release.

A Clarification on the Apache LDAP API 1.0.2 Release

I’ve received an update on the Apache LDAP API version 1.0.2 release that I mentioned in a previous post. The most critical update in this release is a security fix that addresses CVE-2018-1337, in which a race condition made it possible for a plaintext request to be sent over a connection after the StartTLS extended operation had been initiated but before the security layer had actually been applied to that connection. It sounds like this primarily affects connections associated with a connection pool that were released to the pool and made available for use before the TLS security layer was entirely in place.

It seems that the 1.0.1 release of the API included a workaround for the problem, while the 1.0.2 release includes the real fix, which explains the same problem description appearing in both the 1.0.1 and 1.0.2 release announcements.

If you’re using the Apache LDAP API, you’re encouraged to update to the 1.0.2 release as quickly as possible.


Editor’s note: I have since learned that the problem is not limited to the StartTLS extended operation, and that it affects all uses of SSL/TLS.

Apache LDAP API 1.0.2 Released

The Apache Directory LDAP API version 1.0.2 has been released. The release announcement states that it’s a bugfix release, but doesn’t offer any additional information about the changes that it includes. There also don’t appear to be any release notes on the website or in the product download. The project website does suggest that it may include fixes for one or more critical security problems, including one that may result in clear-text communication when encrypted communication was expected, but that may be a copy-and-paste typo as identical text appears in the release announcement for the 1.0.1 version.


Editor’s note: I received a clarification on the contents of this release and have written a new post describing the primary security fix that it contains. Thanks to Emmanuel Lécharny for the update.