lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050721141221.GA7042@piware.de>
Date: Thu Jul 21 15:12:28 2005
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-152-1] PAM/NSS LDAP vulnerabilitiy

===========================================================
Ubuntu Security Notice USN-152-1	      July 21, 2005
openldap2, libpam-ldap, libnss-ldap vulnerabilities
CAN-2005-2069
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

libnss-ldap
libpam-ldap
slapd

On Ubuntu 4.10, the problem can be corrected by upgrading the affected
packages to version 2.1.30-2ubuntu4.1 (slapd), 164-2ubuntu0.1
(libpam-ldap), and 220-1ubuntu0.1 (libnss-ldap).

On Ubuntu 5.04, the problem can be corrected by upgrading the affected
packages to version 2.1.30-3ubuntu3.1 (slapd), 169-1ubuntu0.1
(libpam-ldap), and 220-1ubuntu0.1 (libnss-ldap).

In general, a standard system upgrade is sufficient to effect the
necessary changes.

(Please note that libnss-ldap and libpam-ldap are not officially
supported by Ubuntu, they are in the "universe" suite of the archive.)

Details follow:

Andrea Barisani discovered a flaw in the SSL handling of pam-ldap and
libnss-ldap. When a client connected to a slave LDAP server using SSL,
the slave server did not use SSL as well when contacting the LDAP
master server. This caused passwords and other confident information
to be transmitted unencrypted between the slave and the master.


Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_211-4ubuntu0.1.diff.gz
      Size/MD5:    40012 180bfdaf8ddf765fbffd5a671c2e08e5
    http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_211-4ubuntu0.1.dsc
      Size/MD5:      687 6b1c2784a1033e5ec81903976c950331
    http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_211.orig.tar.gz
      Size/MD5:   221013 34adcab5d46a436617ae686cc7c5e78f
    http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_164-2ubuntu0.1.diff.gz
      Size/MD5:    31544 8d085bc008fe5ac70b2a0ad6d56f92f8
    http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_164-2ubuntu0.1.dsc
      Size/MD5:      678 da1e9384d50f7b968adf547d829b7315
    http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_164.orig.tar.gz
      Size/MD5:   116873 0b5d6ef6735480210d27a3d969f59e12
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30-2ubuntu4.1.diff.gz
      Size/MD5:   116650 89863ef77edba510914cfdad0d3348ef
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30-2ubuntu4.1.dsc
      Size/MD5:      971 a430e9d325011aa5707b511f64d239dd
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30.orig.tar.gz
      Size/MD5:  2044673 e2ae8148c4bed07d7a70edd930bdc403

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libslapd2-dev_2.1.30-2ubuntu4.1_all.deb
      Size/MD5:    71854 f2b7772fa613690daa5eb85afcd13a34

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-2ubuntu4.1_amd64.deb
      Size/MD5:   125906 79af7aa37ff71b874214b90ee9ecae1e
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-2ubuntu4.1_amd64.deb
      Size/MD5:   360024 986821f16397c44875c6f9631e376620
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-2ubuntu4.1_amd64.deb
      Size/MD5:   308242 d4047e25be22bcf3064f3401d3827a4f
    http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_211-4ubuntu0.1_amd64.deb
      Size/MD5:    69096 4dce5370da2e0f675d274801f993ac05
    http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_164-2ubuntu0.1_amd64.deb
      Size/MD5:    49546 bdda10f11dae5c0eb89aae5dcb58f17d
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-2ubuntu4.1_amd64.deb
      Size/MD5:  1000922 d0cccba6c649de288204b677c051763c

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-2ubuntu4.1_i386.deb
      Size/MD5:   111448 146b9142a0148940068a0e583c0f05bd
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-2ubuntu4.1_i386.deb
      Size/MD5:   316880 5828ac19e41a9dfd6f42acc754cb3c5d
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-2ubuntu4.1_i386.deb
      Size/MD5:   283620 2750618047fc01d8393a773caea6ee4f
    http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_211-4ubuntu0.1_i386.deb
      Size/MD5:    67978 a2a3f9a58c2a01b9e03f8f7e28575b80
    http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_164-2ubuntu0.1_i386.deb
      Size/MD5:    49208 cd423f7aa2211f49110913d661f9effe
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-2ubuntu4.1_i386.deb
      Size/MD5:   902696 5acca424b573c4359cfd26e41677ce0c

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-2ubuntu4.1_powerpc.deb
      Size/MD5:   127948 1a88da127a39484da2c2d0fb782ae0ac
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-2ubuntu4.1_powerpc.deb
      Size/MD5:   371714 e3579e3bedba4e79e4817178aae191de
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-2ubuntu4.1_powerpc.deb
      Size/MD5:   301834 207ffdaf7d6a59efeed541c1186826be
    http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_211-4ubuntu0.1_powerpc.deb
      Size/MD5:    70402 4dd21e0f29aacf85c3e8caef7ac04ccb
    http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_164-2ubuntu0.1_powerpc.deb
      Size/MD5:    49762 c10ceae89d679444cab7d150d709d09c
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-2ubuntu4.1_powerpc.deb
      Size/MD5:   975904 b3c3f67196e71eb563e501f55bc97dd8

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_220-1ubuntu0.1.diff.gz
      Size/MD5:    26873 59ccd69249e345d2f535a4b6bdf323dd
    http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_220-1ubuntu0.1.dsc
      Size/MD5:      687 660f621b904c8cc6db16a1027bca370c
    http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_220.orig.tar.gz
      Size/MD5:   204826 d401485fcabf4ea40d244c2c9a19247e
    http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_169-1ubuntu0.1.diff.gz
      Size/MD5:    26203 f6618a137174a52f3eaa2c6dc357b434
    http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_169-1ubuntu0.1.dsc
      Size/MD5:      678 ba2b65635fcc64aefc6a12c2c90b3bd0
    http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_169.orig.tar.gz
      Size/MD5:   119817 62abfe9c5d62e7d112c12d0e5863129f
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30-3ubuntu3.1.diff.gz
      Size/MD5:   117295 743d542b68dd5d743527ac15500b8b51
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30-3ubuntu3.1.dsc
      Size/MD5:      988 abcae0bb7933a4634c0562c41b17a4d5
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30.orig.tar.gz
      Size/MD5:  2044673 e2ae8148c4bed07d7a70edd930bdc403

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libslapd2-dev_2.1.30-3ubuntu3.1_all.deb
      Size/MD5:    72308 60a8341fad6776f7da90291b0c0a41e5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-3ubuntu3.1_amd64.deb
      Size/MD5:   126282 504170293b367b3d3960c19619386368
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-3ubuntu3.1_amd64.deb
      Size/MD5:   361172 fc2aaa72ddc00c7ea6e9118d18532672
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-3ubuntu3.1_amd64.deb
      Size/MD5:   309092 62bb57d16d2e0b7ef505d9023eacc687
    http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_220-1ubuntu0.1_amd64.deb
      Size/MD5:    74590 f1087a8146dd42601bbc990f8d1c755d
    http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_169-1ubuntu0.1_amd64.deb
      Size/MD5:    52078 6057c9f1597d80a2c162837b25f2e9a7
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-3ubuntu3.1_amd64.deb
      Size/MD5:  1087990 a8a2b8b425be64cb3fcf5a32a8d83416

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-3ubuntu3.1_i386.deb
      Size/MD5:   110644 d52d6dd0c45e8532c6170ddf1a52f19c
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-3ubuntu3.1_i386.deb
      Size/MD5:   317990 4e54bf4ec7dc799de00bf8bf0711bded
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-3ubuntu3.1_i386.deb
      Size/MD5:   284484 89c8c1a89831713025896642ccccd900
    http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_220-1ubuntu0.1_i386.deb
      Size/MD5:    73536 ed6ee791428191886b86d29063997565
    http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_169-1ubuntu0.1_i386.deb
      Size/MD5:    51670 384be799688e0277feb86b4508288699
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-3ubuntu3.1_i386.deb
      Size/MD5:   979238 3e2fad1ffb1b9d7eac366467da98e3ce

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-3ubuntu3.1_powerpc.deb
      Size/MD5:   129544 bb935cbb6fc5e7670646607d0c481ff6
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-3ubuntu3.1_powerpc.deb
      Size/MD5:   373102 fbd4736d7f2167db5a204609f08076e6
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-3ubuntu3.1_powerpc.deb
      Size/MD5:   302728 8e97eb53df941a8d4546f3de39477aa7
    http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_220-1ubuntu0.1_powerpc.deb
      Size/MD5:    75784 8d77afd6f2a602294cc1d953b9995c38
    http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_169-1ubuntu0.1_powerpc.deb
      Size/MD5:    52180 40ef599a113e873a235b76f315a444d2
    http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-3ubuntu3.1_powerpc.deb
      Size/MD5:  1058104 59a515083487c2218c4acefb99bee97d
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050721/21383406/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ