To: [email protected]Subject: [ MDKSA-2006:201 ] - Updated pam_ldap packages fix PasswordPolicyReponse coding error
Date: Tue, 7 Nov 2006 19:45:00 -0700
From: [email protected]
Reply-To: <xsecurity@mandriva.com.>
Message-Id: <E1GhdQy-0007Dw-AH@mercury.mandriva.com.>
Sender: QATeam User <qateam@mercury.mandriva.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2006:201
http://www.mandriva.com/security/
_______________________________________________________________________
Package : pam_ldap
Date : November 7, 2006
Affected: 2006.0, 2007.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
Pam_ldap does not return an error condition when an LDAP directory
server responds with a PasswordPolicyResponse control response, which
causes the pam_authenticate function to return a success code even if
authentication has failed, as originally reported for xscreensaver.
This might lead to an attacker being able to login into a suspended
system account.
Updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5170
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2006.0:
88544f487e0884831e8dca48d9420eca 2006.0/i586/pam_ldap-180-2.1.20060mdk.i586.rpm
2873ac0db22512131ad2f4a5d055e035 2006.0/SRPMS/pam_ldap-180-2.1.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
4cdb139a35c0b877fccb62b344292133 2006.0/x86_64/pam_ldap-180-2.1.20060mdk.x86_64.rpm
2873ac0db22512131ad2f4a5d055e035 2006.0/SRPMS/pam_ldap-180-2.1.20060mdk.src.rpm
Mandriva Linux 2007.0:
338ecc4e0b69209b99f9ad317d6d2385 2007.0/i586/pam_ldap-180-4.1mdv2007.0.i586.rpm
3a747dcc317e95fdc9011c1dfc4254ef 2007.0/SRPMS/pam_ldap-180-4.1mdv2007.0.src.rpm
Mandriva Linux 2007.0/X86_64:
079964ab75deaa3a8d723bc63c4e9be7 2007.0/x86_64/pam_ldap-180-4.1mdv2007.0.x86_64.rpm
3a747dcc317e95fdc9011c1dfc4254ef 2007.0/SRPMS/pam_ldap-180-4.1mdv2007.0.src.rpm
Corporate 4.0:
8e800885b38df7d3b566cea4934cdb24 corporate/4.0/i586/pam_ldap-180-3.1.20060mlcs4.i586.rpm
4abf9cd7b032153e407cf487968bc10a corporate/4.0/SRPMS/pam_ldap-180-3.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
92a60cc8a2d16e7cb305a7665e39e696 corporate/4.0/x86_64/pam_ldap-180-3.1.20060mlcs4.x86_64.rpm
4abf9cd7b032153e407cf487968bc10a corporate/4.0/SRPMS/pam_ldap-180-3.1.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFFURi4mqjQ0CJFipgRAv+AAJ9X0lbBUIA1pFc3IbMFw2/ob60zIACfQSN3
HXWy3ifc4tvQC0XYyy4M2f0=
=E4uj
-----END PGP SIGNATURE-----