First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 96767
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: rob holland (RETIRED) <tigger@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
nss_ldap.patch tls patch for referrals for nss_ldap patch rob holland (RETIRED) 2005-07-03 15:42 0000 1022 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 96767 depends on: Show dependency tree
Show dependency graph
Bug 96767 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-06-22 03:11 0000 
pam_ldap will send credentials in plaintext if a slave ldap server refers it to
a master server during a password change operation. The ldap.conf "ssl
start_tls" setting is not enforced on referrals (and openldap doesn't currently
allow it due to a bug).

Worst case is that server admins are not enforcing tls server-side, in which
case passwd will appear to work fine, but will be sending stuff over the wire
in plaintext.

Two patches are needed to fix this, one for pam_ldap to request tls on
referrals, and one for openldap to accept the request.

http://bugzilla.padl.com/show_bug.cgi?id=210

http://www.openldap.org/its/index.cgi/Incoming?id=3791

------- Comment #1 From rob holland (RETIRED) 2005-06-22 03:13:53 0000 ------- 
setting upstream as fixes have been filed in the relevant bug systems.

------- Comment #2 From Thierry Carrez (RETIRED) 2005-06-22 03:35:51 0000 ------- 
Cleaning up :)

------- Comment #3 From rob holland (RETIRED) 2005-06-28 03:37:21 0000 ------- 
Can we please being carrying this patch in the ebuilds? Upstream aren't
responding and this is a serious issue.

------- Comment #4 From rob holland (RETIRED) 2005-06-28 03:54:45 0000 ------- 
s/being/begin/ :)

adding robbat2 as this needs openldap lovin as well.

------- Comment #5 From Thierry Carrez (RETIRED) 2005-06-29 13:25:13 0000 ------- 
======================================================
Candidate: CAN-2005-2069
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069
Reference: MISC:http://www.openldap.org/its/index.cgi/Incoming?id=3791
Reference: MISC:http://bugzilla.padl.com/show_bug.cgi?id=210
Reference:
CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161990

pam_ldap and OpenLDAP, when connecting to a slave using TLS, does not
use TLS for the subsequent connection if the client is referred to a
master, which causes a password to be sent in cleartext and allows
remote attackers to sniff the password.
======================================================

Robin: please patch (or comment)

------- Comment #6 From Robin Johnson 2005-07-03 11:55:47 0000 ------- 
could security please check the code in nss_ldap as well, as it shares code 
with pam_ldap last I checked, and thus may be vulnerable to the same problem.

------- Comment #7 From Robin Johnson 2005-07-03 12:10:56 0000 ------- 
pam_ldap is patched now.
both 176-r1 and 178-r1 have the patch.
Could arches please test 178-r1, and if it works, stable it. If it doesn't 
work, try 176-r1 instead.

------- Comment #8 From Robin Johnson 2005-07-03 12:16:08 0000 ------- 
openldap is patched now.
2.1.30-r5 and 2.2.27-r1 have the patch.
2.1.30-r5 is the ebuild that should go stable. 
2.2.27-r1 (and the 2.2 series in general) will be considered for stable in 30 
days).

------- Comment #9 From Diego Pettenò 2005-07-03 12:16:29 0000 ------- 
Updating the package name :)

------- Comment #10 From Stefan Cornelius (RETIRED) 2005-07-03 15:12:38 0000 ------- 
Dear arches, please test sys-auth/pam_ldap-178-r1 and mark stable if possible
(if it fails, try 176-r1).
Please also try to mark openldap-2.1.30-r5 stable, thanks.

------- Comment #11 From rob holland (RETIRED) 2005-07-03 15:41:10 0000 ------- 
good call wrt nss_ldap. untested patch follows. if there are problems I'll try
to fix first thing tomorrow.

------- Comment #12 From rob holland (RETIRED) 2005-07-03 15:42:11 0000 ------- 
Created an attachment (id=62564) [edit]
tls patch for referrals for nss_ldap

------- Comment #13 From rob holland (RETIRED) 2005-07-04 02:09:02 0000 ------- 
pam_ldap/nss_ldap ebuilds which have the tls problem fixed must DEPEND on
openldap ebuilds with the revelent library fix, otherwise they won't function.

------- Comment #14 From Andrea Barisani (RETIRED) 2005-07-04 03:41:37 0000 ------- 
Well nss_ldap doesn't performs updates, so I don't think it's affected by this
issue.

------- Comment #15 From Andrea Barisani (RETIRED) 2005-07-04 03:45:46 0000 ------- 
Ok as rob pointed out referrals are used not only for updates but for subtrees
as well...so ignore me ;)

------- Comment #16 From Thierry Carrez (RETIRED) 2005-07-04 06:15:14 0000 ------- 
lcars: any reason to clear our precious status whiteboard ?

------- Comment #17 From Andrea Barisani (RETIRED) 2005-07-04 06:17:17 0000 ------- 
Sorry :/ blame /usr/bin/links. I'll be more careful in the future (but honestly
it
was impossible to spot without a post-commit review). links--

------- Comment #18 From Jason Wever (RETIRED) 2005-07-04 15:40:02 0000 ------- 
pam_ldap-178-r1 and and openldap-2.1.30-r5 stable on sparc.

------- Comment #19 From Michael Hanselmann (hansmi) (RETIRED) 2005-07-06 13:08:18 0000 ------- 
Stable on ppc.

------- Comment #20 From Robin Johnson 2005-07-06 16:47:29 0000 ------- 
ok, nss_ldap is patched as well now. Hopefully there is nothing else affected
by
this bug. sorry about the delay.

arches:
please test nss_ldap-239-r1 first, but if that doesn't work, test 226-r1
instead.

sparc/ppc: sorry to bring you back, but ^^^^

------- Comment #21 From Markus Rothe 2005-07-07 03:37:04 0000 ------- 
openldap-2.1.30-r5: stable on ppc64
pam_ldap-178-r1: was never marked ppc64 in any way -> added ~ppc64
nss_ldap-239-r1: versions after 226 didn't compile, this one works again ->
added ~ppc64

I'll mark those packages with ~ppc64 stable in 30 days, if no errors occur.

------- Comment #22 From Jason Wever (RETIRED) 2005-07-09 05:48:19 0000 ------- 
Stable on SPARC

------- Comment #23 From Simon Stelling (RETIRED) 2005-07-11 05:03:44 0000 ------- 
amd64 stable

------- Comment #24 From Thierry Carrez (RETIRED) 2005-07-13 07:16:24 0000 ------- 
GLSA is ready to go...

hppa,x86: please test and mark stable pam_ldap-178-r1 and nss_ldap-239-r1 (or
226-r1)

ppc: please test and mark stable nss_ldap-239-r1 (or 226-r1)

ppc64 : we'll need it for the GLSA before the 30 days period, as current stable
version is affected and the GLSA must go out. So please test and mark stable
nss_ldap-239-r1 if you can.

------- Comment #25 From Michael Hanselmann (hansmi) (RETIRED) 2005-07-13 07:42:56 0000 ------- 
Stable on hppa and ppc.

------- Comment #26 From rob holland (RETIRED) 2005-07-13 08:42:26 0000 ------- 
stable on x86

------- Comment #27 From Markus Rothe 2005-07-13 13:24:28 0000 ------- 
oh.. I didn't thought about that. nss_ldap-239-r1 is stable now on ppc64. sorry
for the delay...

------- Comment #28 From Thierry Carrez (RETIRED) 2005-07-13 13:35:20 0000 ------- 
Should be ready for GLSA

------- Comment #29 From Thierry Carrez (RETIRED) 2005-07-14 03:21:24 0000 ------- 
GLSA 200507-13
(Removed misc arches tat did not have those packages keyworded anyway)
First Last Prev Next    No search results available      Search page      Enter new bug