Description
It was found that 389 Directory Server was vulnerable to a flaw in which the
default ACI (Access Control Instructions) could be read by an anonymous user.
This could lead to leakage of sensitive information. (CVE-2016-5416)
* An information disclosure flaw was found in 389 Directory Server. A user with
no access to objects in certain LDAP sub-tree could send LDAP ADD operations
with a specific object name. The error message returned to the user was
different based on whether the target object existed or not. (CVE-2016-4992)
* It was found that 389 Directory Server was vulnerable to a remote password
disclosure via timing attack. A remote attacker could possibly use this flaw to
retrieve directory server password after many tries. (CVE-2016-5405)