From security@mandriva.com Fri Oct 21 03:00:24 2005 From: Mandriva Security Team To: full-disclosure@lists.grok.org.uk Date: Fri, 21 Oct 2005 00:24:28 -0600 Subject: [Full-disclosure] MDKSA-2005:190 - Updated nss_ldap/pam_ldap packages fix privilege vulnerabilities. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Update Advisory _______________________________________________________________________ Package name: nss_ldap Advisory ID: MDKSA-2005:190 Date: October 20th, 2005 Affected versions: 10.1, 10.2 ______________________________________________________________________ Problem Description: A bug was found in the way the pam_ldap module processed certain failure messages. If the server includes supplemental data in an authentication failure result message, but the data does not include any specific error code, the pam_ldap module would proceed as if the authentication request had succeeded, and authentication would succeed. This affects versions 169 through 179 of pam_ldap. The updated packages have been patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2641 ______________________________________________________________________ Updated Packages: Mandrivalinux 10.1: 3cf5ab097f8e69b9e1ace711537fcb46 10.1/RPMS/nss_ldap-220-3.2.101mdk.i586.rpm e5d3c8684a35cc147943b0b4a1922a42 10.1/RPMS/pam_ldap-170-3.2.101mdk.i586.rpm edad8885447d4d059ff1c689ee6a6f7d 10.1/SRPMS/nss_ldap-220-3.2.101mdk.src.rpm Mandrivalinux 10.1/X86_64: 7b8c8c7c40c30963aff186adffc94324 x86_64/10.1/RPMS/nss_ldap-220-3.2.101mdk.x86_64.rpm ecbaa427c916e7fab0c355a91e04ee98 x86_64/10.1/RPMS/pam_ldap-170-3.2.101mdk.x86_64.rpm edad8885447d4d059ff1c689ee6a6f7d x86_64/10.1/SRPMS/nss_ldap-220-3.2.101mdk.src.rpm Mandrivalinux 10.2: 19950ddbfe52c8f0aa6e11ed93c59737 10.2/RPMS/pam_ldap-170-5.3.102mdk.i586.rpm dab9943bb867001a4a4e514ffc58d84e 10.2/RPMS/nss_ldap-220-5.3.102mdk.i586.rpm 08e82d8a5fdcdd1620d8a22ec002173d 10.2/SRPMS/nss_ldap-220-5.3.102mdk.src.rpm Mandrivalinux 10.2/X86_64: 54ff3f02df2e5f7c11564488784fc3ab x86_64/10.2/RPMS/nss_ldap-220-5.3.102mdk.x86_64.rpm 9d5541f3ac77d8ce6e2b8877b25f8980 x86_64/10.2/RPMS/pam_ldap-170-5.3.102mdk.x86_64.rpm 08e82d8a5fdcdd1620d8a22ec002173d x86_64/10.2/SRPMS/nss_ldap-220-5.3.102mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDWImbmqjQ0CJFipgRAgX8AJ4jyjMmvr+bQ0j4kimAmSySxfnBTACgz4n5 cXO1suU5/bUFVM9e/Q5KKXo= =jVbI -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/