Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 150294

Summary: sys-auth/nss_ldap allows trivial local-console access to locked accounts
Product: Gentoo Security Reporter: Matt Drew (RETIRED) <aetius>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2641
Whiteboard:
Package list:
Runtime testing required: ---

Description Matt Drew (RETIRED) gentoo-dev 2006-10-06 08:51:58 UTC
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207286
https://issues.rpath.com/browse/RPL-680

The Red Hat bug is x86_64, but the rpath bug doesn't report platform and the CVE links to several advisories that update all platforms (Mandriva, for instance).

This is an old bug that just popped up again on fulldiclosure, I searched up and down in bugzilla but didn't see it.  We still have vulnerable versions in portage (see bug #140490, security cleanup needed).  Current stable is 249, which fixes this particular problem.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-11 06:18:14 UTC
Thanks for the report.

Since the stable version is not affected and has been stable for months, this does not appear to be worth a GLSA anymore.
The older versions are also vulnerable to a different issue, so they really should be removed when possible, but this is handled in bug #140490.