Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200507-13 ] pam_ldap and nss_ldap: Plain text authentication leak
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663

PostPosted: Thu Jul 14, 2005 10:17 am    Post subject: [ GLSA 200507-13 ] pam_ldap and nss_ldap: Plain text authent Reply with quote

Gentoo Linux Security Advisory

Title: pam_ldap and nss_ldap: Plain text authentication leak (GLSA 200507-13)
Severity: normal
Exploitable: remote
Date: July 14, 2005
Bug(s): #96767
ID: 200507-13

Synopsis

pam_ldap and nss_ldap fail to restart TLS when following a referral, possibly leading to credentials being sent in plain text.

Background

pam_ldap is a Pluggable Authentication Module which allows authentication against an LDAP directory. nss_ldap is a Name Service Switch module which allows 'passwd', 'group' and 'host' database information to be pulled from LDAP. TLS is Transport Layer Security, a protocol that allows encryption of network communications.

Affected Packages

Package: sys-auth/nss_ldap
Vulnerable: < 239-r1
Unaffected: >= 239-r1
Unaffected: >= 226-r1 < 226227
Architectures: All supported architectures

Package: sys-auth/pam_ldap
Vulnerable: < 178-r1
Unaffected: >= 178-r1
Architectures: All supported architectures


Description

Rob Holland of the Gentoo Security Audit Team discovered that pam_ldap and nss_ldap fail to use TLS for referred connections if they are referred to a master after connecting to a slave, regardless of the "ssl start_tls" ldap.conf setting.

Impact

An attacker could sniff passwords or other sensitive information as the communication is not encrypted.

Workaround

pam_ldap and nss_ldap can be set to force the use of SSL instead of TLS.

Resolution

All pam_ldap users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/pam_ldap-178-r1"
All nss_ldap users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose sys-auth/nss_ldap


References

CAN-2005-2069


Last edited by GLSA on Sun May 07, 2006 4:58 pm; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum