[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050721141221.GA7042@piware.de>
Date: Thu Jul 21 15:12:28 2005
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-152-1] PAM/NSS LDAP vulnerabilitiy
===========================================================
Ubuntu Security Notice USN-152-1 July 21, 2005
openldap2, libpam-ldap, libnss-ldap vulnerabilities
CAN-2005-2069
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
libnss-ldap
libpam-ldap
slapd
On Ubuntu 4.10, the problem can be corrected by upgrading the affected
packages to version 2.1.30-2ubuntu4.1 (slapd), 164-2ubuntu0.1
(libpam-ldap), and 220-1ubuntu0.1 (libnss-ldap).
On Ubuntu 5.04, the problem can be corrected by upgrading the affected
packages to version 2.1.30-3ubuntu3.1 (slapd), 169-1ubuntu0.1
(libpam-ldap), and 220-1ubuntu0.1 (libnss-ldap).
In general, a standard system upgrade is sufficient to effect the
necessary changes.
(Please note that libnss-ldap and libpam-ldap are not officially
supported by Ubuntu, they are in the "universe" suite of the archive.)
Details follow:
Andrea Barisani discovered a flaw in the SSL handling of pam-ldap and
libnss-ldap. When a client connected to a slave LDAP server using SSL,
the slave server did not use SSL as well when contacting the LDAP
master server. This caused passwords and other confident information
to be transmitted unencrypted between the slave and the master.
Updated packages for Ubuntu 4.10 (Warty Warthog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_211-4ubuntu0.1.diff.gz
Size/MD5: 40012 180bfdaf8ddf765fbffd5a671c2e08e5
http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_211-4ubuntu0.1.dsc
Size/MD5: 687 6b1c2784a1033e5ec81903976c950331
http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_211.orig.tar.gz
Size/MD5: 221013 34adcab5d46a436617ae686cc7c5e78f
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_164-2ubuntu0.1.diff.gz
Size/MD5: 31544 8d085bc008fe5ac70b2a0ad6d56f92f8
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_164-2ubuntu0.1.dsc
Size/MD5: 678 da1e9384d50f7b968adf547d829b7315
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_164.orig.tar.gz
Size/MD5: 116873 0b5d6ef6735480210d27a3d969f59e12
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30-2ubuntu4.1.diff.gz
Size/MD5: 116650 89863ef77edba510914cfdad0d3348ef
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30-2ubuntu4.1.dsc
Size/MD5: 971 a430e9d325011aa5707b511f64d239dd
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30.orig.tar.gz
Size/MD5: 2044673 e2ae8148c4bed07d7a70edd930bdc403
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libslapd2-dev_2.1.30-2ubuntu4.1_all.deb
Size/MD5: 71854 f2b7772fa613690daa5eb85afcd13a34
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-2ubuntu4.1_amd64.deb
Size/MD5: 125906 79af7aa37ff71b874214b90ee9ecae1e
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-2ubuntu4.1_amd64.deb
Size/MD5: 360024 986821f16397c44875c6f9631e376620
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-2ubuntu4.1_amd64.deb
Size/MD5: 308242 d4047e25be22bcf3064f3401d3827a4f
http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_211-4ubuntu0.1_amd64.deb
Size/MD5: 69096 4dce5370da2e0f675d274801f993ac05
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_164-2ubuntu0.1_amd64.deb
Size/MD5: 49546 bdda10f11dae5c0eb89aae5dcb58f17d
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-2ubuntu4.1_amd64.deb
Size/MD5: 1000922 d0cccba6c649de288204b677c051763c
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-2ubuntu4.1_i386.deb
Size/MD5: 111448 146b9142a0148940068a0e583c0f05bd
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-2ubuntu4.1_i386.deb
Size/MD5: 316880 5828ac19e41a9dfd6f42acc754cb3c5d
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-2ubuntu4.1_i386.deb
Size/MD5: 283620 2750618047fc01d8393a773caea6ee4f
http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_211-4ubuntu0.1_i386.deb
Size/MD5: 67978 a2a3f9a58c2a01b9e03f8f7e28575b80
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_164-2ubuntu0.1_i386.deb
Size/MD5: 49208 cd423f7aa2211f49110913d661f9effe
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-2ubuntu4.1_i386.deb
Size/MD5: 902696 5acca424b573c4359cfd26e41677ce0c
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-2ubuntu4.1_powerpc.deb
Size/MD5: 127948 1a88da127a39484da2c2d0fb782ae0ac
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-2ubuntu4.1_powerpc.deb
Size/MD5: 371714 e3579e3bedba4e79e4817178aae191de
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-2ubuntu4.1_powerpc.deb
Size/MD5: 301834 207ffdaf7d6a59efeed541c1186826be
http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_211-4ubuntu0.1_powerpc.deb
Size/MD5: 70402 4dd21e0f29aacf85c3e8caef7ac04ccb
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_164-2ubuntu0.1_powerpc.deb
Size/MD5: 49762 c10ceae89d679444cab7d150d709d09c
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-2ubuntu4.1_powerpc.deb
Size/MD5: 975904 b3c3f67196e71eb563e501f55bc97dd8
Updated packages for Ubuntu 5.04 (Hoary Hedgehog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_220-1ubuntu0.1.diff.gz
Size/MD5: 26873 59ccd69249e345d2f535a4b6bdf323dd
http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_220-1ubuntu0.1.dsc
Size/MD5: 687 660f621b904c8cc6db16a1027bca370c
http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_220.orig.tar.gz
Size/MD5: 204826 d401485fcabf4ea40d244c2c9a19247e
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_169-1ubuntu0.1.diff.gz
Size/MD5: 26203 f6618a137174a52f3eaa2c6dc357b434
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_169-1ubuntu0.1.dsc
Size/MD5: 678 ba2b65635fcc64aefc6a12c2c90b3bd0
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_169.orig.tar.gz
Size/MD5: 119817 62abfe9c5d62e7d112c12d0e5863129f
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30-3ubuntu3.1.diff.gz
Size/MD5: 117295 743d542b68dd5d743527ac15500b8b51
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30-3ubuntu3.1.dsc
Size/MD5: 988 abcae0bb7933a4634c0562c41b17a4d5
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/openldap2_2.1.30.orig.tar.gz
Size/MD5: 2044673 e2ae8148c4bed07d7a70edd930bdc403
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libslapd2-dev_2.1.30-3ubuntu3.1_all.deb
Size/MD5: 72308 60a8341fad6776f7da90291b0c0a41e5
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-3ubuntu3.1_amd64.deb
Size/MD5: 126282 504170293b367b3d3960c19619386368
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-3ubuntu3.1_amd64.deb
Size/MD5: 361172 fc2aaa72ddc00c7ea6e9118d18532672
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-3ubuntu3.1_amd64.deb
Size/MD5: 309092 62bb57d16d2e0b7ef505d9023eacc687
http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_220-1ubuntu0.1_amd64.deb
Size/MD5: 74590 f1087a8146dd42601bbc990f8d1c755d
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_169-1ubuntu0.1_amd64.deb
Size/MD5: 52078 6057c9f1597d80a2c162837b25f2e9a7
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-3ubuntu3.1_amd64.deb
Size/MD5: 1087990 a8a2b8b425be64cb3fcf5a32a8d83416
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-3ubuntu3.1_i386.deb
Size/MD5: 110644 d52d6dd0c45e8532c6170ddf1a52f19c
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-3ubuntu3.1_i386.deb
Size/MD5: 317990 4e54bf4ec7dc799de00bf8bf0711bded
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-3ubuntu3.1_i386.deb
Size/MD5: 284484 89c8c1a89831713025896642ccccd900
http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_220-1ubuntu0.1_i386.deb
Size/MD5: 73536 ed6ee791428191886b86d29063997565
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_169-1ubuntu0.1_i386.deb
Size/MD5: 51670 384be799688e0277feb86b4508288699
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-3ubuntu3.1_i386.deb
Size/MD5: 979238 3e2fad1ffb1b9d7eac366467da98e3ce
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/ldap-utils_2.1.30-3ubuntu3.1_powerpc.deb
Size/MD5: 129544 bb935cbb6fc5e7670646607d0c481ff6
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2-dev_2.1.30-3ubuntu3.1_powerpc.deb
Size/MD5: 373102 fbd4736d7f2167db5a204609f08076e6
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/libldap2_2.1.30-3ubuntu3.1_powerpc.deb
Size/MD5: 302728 8e97eb53df941a8d4546f3de39477aa7
http://security.ubuntu.com/ubuntu/pool/universe/libn/libnss-ldap/libnss-ldap_220-1ubuntu0.1_powerpc.deb
Size/MD5: 75784 8d77afd6f2a602294cc1d953b9995c38
http://security.ubuntu.com/ubuntu/pool/universe/libp/libpam-ldap/libpam-ldap_169-1ubuntu0.1_powerpc.deb
Size/MD5: 52180 40ef599a113e873a235b76f315a444d2
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2/slapd_2.1.30-3ubuntu3.1_powerpc.deb
Size/MD5: 1058104 59a515083487c2218c4acefb99bee97d
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050721/21383406/attachment.bin
Powered by blists - more mailing lists