Debian Bug report logs -
#392984
CVE-2006-5170: pam_ldap authentication bypass
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Sat, 14 Oct 2006 14:48:53 UTC
Severity: grave
Tags: patch, security
Fixed in version 180-1.2
Done: Stefan Fritsch <sf@sfritsch.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#392984; Package libpam_ldap.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libpam_ldap
Severity: grave
Tags: security patch
Justification: user security hole
A vulnerability has been found in libpam_ldap:
pam_ldap in nss_ldap on Red Hat Enterprise Linux 4, Fedora Core 3 and
earlier, and possibly other distributions does not return an error
condition when an LDAP directory server responds with a
PasswordPolicyResponse control response, which causes the
pam_authenticate function to return a success code even if
authentication has failed, as originally reported for xscreensaver.
See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207286 for
details.
From the patch given in the bugreport, libpam-ldap 180-1.1 in Debian
seems to be vulnerable, too. Please mention the CVE id in the changelog.
I have attached the patch as there is only a .srpm in the redhat bug
report.
[pam_ldap-176-no_suppress.patch (text/plain, attachment)]
Reply sent to Stefan Fritsch <sf@sfritsch.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 392984-done@bugs.debian.org (full text, mbox, reply):
Version: 180-1.2
Fixed by NMU
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 22 Oct 2006 22:26:58 +0200
Source: libpam-ldap
Binary: libpam-ldap
Architecture: source i386
Version: 180-1.2
Distribution: unstable
Urgency: high
Maintainer: Stephen Frost <sfrost@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description:
libpam-ldap - Pluggable Authentication Module allowing LDAP
interfaces
Changes:
libpam-ldap (180-1.2) unstable; urgency=high
.
* NMU for RC security bug.
* Fix error passing for PasswordPolicyResponse control responses.
(CVE-2006-5170)
Files:
fdcb676bce1ec85bd537f27be2e6014b 633 admin extra
libpam-ldap_180-1.2.dsc
2c1223188cc208dadd18a5c3517872eb 20800 admin extra
libpam-ldap_180-1.2.diff.gz
90c30affd16764f3874d7b2dd3273a6a 62634 admin extra
libpam-ldap_180-1.2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFO9UIXm3vHE4uyloRArRYAJ9bcQ7lJGJErJtfP1zpubt/v8VkIACgvmXO
nY+sYkjWx5NSdyPj/c3kXow=
=qvph
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 20:54:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:47:55 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon