Firstyear

**Name of the Vulnerable Software and Affected Versions** 389-ds-base versions prior to 1.3.5.19 and 1.3.6.7 **Description** The issue is related to an account lockout error in the 389 Directory Server, which could allow password guessing. Exploitation of this issue may enable a remote attacker to access confidential data. The vulnerability is associated with different return codes being returned on password attempts during account lockout, making it vulnerable to password brute-force attacks. **Recommendations** For versions prior to 1.3.5.19, update to version 1.3.5.19 or later. For versions prior to 1.3.6.7, update to version 1.3.6.7 or later.

Name of the Vulnerable Software and Affected Versions: 389-ds-base versions prior to 1.3.6 Description: The issue arises from an improperly NULL terminated array in the uniqueness entry to config() function within the "attribute uniqueness" plugin of 389 Directory Server. This could allow an authenticated, or possibly unauthenticated, attacker to force an out-of-bound heap memory read, potentially causing a crash of the LDAP service. Recommendations: For versions prior to 1.3.6, update to version 1.3.6 or later to resolve the issue.