Bug 140490

Summary:	sys-auth/nss_ldap - security cleanup needed
Product:	Gentoo Linux	Reporter:	Jakub Moc (RETIRED) <jakub>
Component:	New packages	Assignee:	PAM Gentoo Team (OBSOLETE) <pam-bugs+disabled>
Status:	RESOLVED FIXED
Severity:	normal	CC:	hansmi, ldap-bugs, robbat2, vorlon
Priority:	High
Version:	2006.0
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Jakub Moc (RETIRED) gentoo-dev

2006-07-15 07:14:52 UTC

sys-auth/nss_ldap-174-r2: vulnerable via glsa(200507-13) ( ver-rev < 239-r1 && not ( ver = 226 && ver-rev => 226-r1 ) ), affects ('sparc', 'x86')
sys-auth/nss_ldap-202: vulnerable via glsa(200507-13) ( ver-rev < 239-r1 && not ( ver = 226 && ver-rev => 226-r1 ) ), affects ('sparc', 'x86')
sys-auth/nss_ldap-207: vulnerable via glsa(200507-13) ( ver-rev < 239-r1 && not ( ver = 226 && ver-rev => 226-r1 ) ), affects ('sparc', 'x86')
sys-auth/nss_ldap-207-r1: vulnerable via glsa(200507-13) ( ver-rev < 239-r1 && not ( ver = 226 && ver-rev => 226-r1 ) ), affects ('sparc', 'x86')
sys-auth/nss_ldap-210: vulnerable via glsa(200507-13) ( ver-rev < 239-r1 && not ( ver = 226 && ver-rev => 226-r1 ) ), affects ('sparc', 'x86')
sys-auth/nss_ldap-211: vulnerable via glsa(200507-13) ( ver-rev < 239-r1 && not ( ver = 226 && ver-rev => 226-r1 ) ), affects ('sparc', 'x86')
sys-auth/nss_ldap-215: vulnerable via glsa(200507-13) ( ver-rev < 239-r1 && not ( ver = 226 && ver-rev => 226-r1 ) ), affects ('amd64', 'sparc', 'x86')
sys-auth/nss_ldap-215-r1: vulnerable via glsa(200507-13) ( ver-rev < 239-r1 && not ( ver = 226 && ver-rev => 226-r1 ) ), affects ('amd64', 'hppa', 'ppc', 'sparc', 'x86')
sys-auth/nss_ldap-220: vulnerable via glsa(200507-13) ( ver-rev < 239-r1 && not ( ver = 226 && ver-rev => 226-r1 ) ), affects ('alpha', 'amd64', 'hppa', 'ppc', 'ppc64', 'sparc', 'x86')
sys-auth/nss_ldap-226: vulnerable via glsa(200507-13) ( ver-rev < 239-r1 && not ( ver = 226 && ver-rev => 226-r1 ) ), affects ('alpha', 'amd64', 'hppa', 'ppc', 'sparc', 'x86')
sys-auth/nss_ldap-234: vulnerable via glsa(200507-13) ( ver-rev < 239-r1 && not ( ver = 226 && ver-rev => 226-r1 ) ), affects ('alpha', 'amd64', 'hppa', 'ppc', 'ppc64', 'sparc', 'x86')
sys-auth/nss_ldap-238: vulnerable via glsa(200507-13) ( ver-rev < 239-r1 && not ( ver = 226 && ver-rev => 226-r1 ) ), affects ('alpha', 'amd64', 'hppa', 'ppc', 'sparc', 'x86')
sys-auth/nss_ldap-239: vulnerable via glsa(200507-13) ( ver-rev < 239-r1 && not ( ver = 226 && ver-rev => 226-r1 ) ), affects ('alpha', 'amd64', 'hppa', 'ppc', 'sparc', 'x86')

sys-auth/pam_ldap-156: vulnerable via glsa(200508-22) ( ver < 180 ), affects ('amd64', 'ppc', 'sparc', 'x86')
sys-auth/pam_ldap-156: vulnerable via glsa(200507-13) ( ver-rev < 178-r1 ), affects ('amd64', 'ppc', 'sparc', 'x86')
sys-auth/pam_ldap-161: vulnerable via glsa(200508-22) ( ver < 180 ), affects ('sparc', 'x86')
sys-auth/pam_ldap-161: vulnerable via glsa(200507-13) ( ver-rev < 178-r1 ), affects ('sparc', 'x86')
sys-auth/pam_ldap-164: vulnerable via glsa(200508-22) ( ver < 180 ), affects ('sparc', 'x86')
sys-auth/pam_ldap-164: vulnerable via glsa(200507-13) ( ver-rev < 178-r1 ), affects ('sparc', 'x86')
sys-auth/pam_ldap-167: vulnerable via glsa(200508-22) ( ver < 180 ), affects ('hppa', 'ppc', 'sparc', 'x86')
sys-auth/pam_ldap-167: vulnerable via glsa(200507-13) ( ver-rev < 178-r1 ), affects ('hppa', 'ppc', 'sparc', 'x86')
sys-auth/pam_ldap-171: vulnerable via glsa(200508-22) ( ver < 180 ), affects ('alpha', 'hppa', 'ppc', 'sparc', 'x86')
sys-auth/pam_ldap-171: vulnerable via glsa(200507-13) ( ver-rev < 178-r1 ), affects ('alpha', 'hppa', 'ppc', 'sparc', 'x86')
sys-auth/pam_ldap-176: vulnerable via glsa(200508-22) ( ver < 180 ), affects ('alpha', 'hppa', 'ppc', 'sparc', 'x86')
sys-auth/pam_ldap-176: vulnerable via glsa(200507-13) ( ver-rev < 178-r1 ), affects ('alpha', 'hppa', 'ppc', 'sparc', 'x86')
sys-auth/pam_ldap-176-r1: vulnerable via glsa(200508-22) ( ver < 180 ), affects ('alpha', 'hppa', 'ppc', 'sparc', 'x86')
sys-auth/pam_ldap-176-r1: vulnerable via glsa(200507-13) ( ver-rev < 178-r1 ), affects ('alpha', 'hppa', 'ppc', 'sparc', 'x86')
sys-auth/pam_ldap-178: vulnerable via glsa(200508-22) ( ver < 180 ), affects ('alpha', 'hppa', 'ppc', 'sparc', 'x86')
sys-auth/pam_ldap-178: vulnerable via glsa(200507-13) ( ver-rev < 178-r1 ), affects ('alpha', 'hppa', 'ppc', 'sparc', 'x86')
sys-auth/pam_ldap-178-r1: vulnerable via glsa(200508-22) ( ver < 180 ), affects ('alpha', 'amd64', 'hppa', 'ppc', 'ppc64', 'sparc', 'x86')

sys-auth/pam_mysql-0.5: vulnerable via glsa(200606-18) ( ver < 0.7_rc1 ), affects ('alpha', 'amd64', 'ppc', 'sparc', 'x86')
sys-auth/pam_mysql-0.6.0: vulnerable via glsa(200606-18) ( ver < 0.7_rc1 ), affects ('alpha', 'amd64', 'ppc', 'sparc', 'x86')

Please, clean up the above. Thanks.

Comment 1 Luca Longinotti (RETIRED) gentoo-dev

2006-07-15 08:34:36 UTC

All vulnerable pam-mysql releases deleted.
Best regards, CHTEKK.

Comment 2 Jakub Moc (RETIRED) gentoo-dev

2006-09-02 16:55:59 UTC

Please, do it...

Comment 3 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2006-09-19 12:58:13 UTC

<hansmi> robbat2: Should I clean up nss_ldap and bump to 253? (Just tested the latter one)
<robbat2> there are folk still reporting problems with the new ones, and they are finding a need to use the old ones still
<robbat2> i'm certain it's upstream buggery, but I haven't managed to trace it down yet

Hence it isn't cleaned yet.

Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev

2006-10-11 06:19:59 UTC

The older versions should really be removed if possible, since there is also another issue affecting those (s. bug #150294).

Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev

2006-10-12 09:27:16 UTC

I've removed old pam_ldap versions at least.. nss_ldap is, as Robin said, still there.

Comment 6 Jakub Moc (RETIRED) gentoo-dev

2006-12-01 11:38:49 UTC

All done, wheeeeee! :)