Summary: | sys-auth/{pam_ldap|nss_ldap} not using tls for referred connections | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | rob holland (RETIRED) <tigger> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | lcars, pam-bugs+disabled, robbat2 | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Other | ||||||
Whiteboard: | B3 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
rob holland (RETIRED)
2005-06-22 03:11:43 UTC
setting upstream as fixes have been filed in the relevant bug systems. Cleaning up :) Can we please being carrying this patch in the ebuilds? Upstream aren't responding and this is a serious issue. s/being/begin/ :) adding robbat2 as this needs openldap lovin as well. ====================================================== Candidate: CAN-2005-2069 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069 Reference: MISC:http://www.openldap.org/its/index.cgi/Incoming?id=3791 Reference: MISC:http://bugzilla.padl.com/show_bug.cgi?id=210 Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161990 pam_ldap and OpenLDAP, when connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which causes a password to be sent in cleartext and allows remote attackers to sniff the password. ====================================================== Robin: please patch (or comment) could security please check the code in nss_ldap as well, as it shares code with pam_ldap last I checked, and thus may be vulnerable to the same problem. pam_ldap is patched now. both 176-r1 and 178-r1 have the patch. Could arches please test 178-r1, and if it works, stable it. If it doesn't work, try 176-r1 instead. openldap is patched now. 2.1.30-r5 and 2.2.27-r1 have the patch. 2.1.30-r5 is the ebuild that should go stable. 2.2.27-r1 (and the 2.2 series in general) will be considered for stable in 30 days). Updating the package name :) Dear arches, please test sys-auth/pam_ldap-178-r1 and mark stable if possible (if it fails, try 176-r1). Please also try to mark openldap-2.1.30-r5 stable, thanks. good call wrt nss_ldap. untested patch follows. if there are problems I'll try to fix first thing tomorrow. Created attachment 62564 [details, diff]
tls patch for referrals for nss_ldap
pam_ldap/nss_ldap ebuilds which have the tls problem fixed must DEPEND on openldap ebuilds with the revelent library fix, otherwise they won't function. Well nss_ldap doesn't performs updates, so I don't think it's affected by this issue. Ok as rob pointed out referrals are used not only for updates but for subtrees as well...so ignore me ;) lcars: any reason to clear our precious status whiteboard ? Sorry :/ blame /usr/bin/links. I'll be more careful in the future (but honestly it was impossible to spot without a post-commit review). links-- pam_ldap-178-r1 and and openldap-2.1.30-r5 stable on sparc. Stable on ppc. ok, nss_ldap is patched as well now. Hopefully there is nothing else affected by this bug. sorry about the delay. arches: please test nss_ldap-239-r1 first, but if that doesn't work, test 226-r1 instead. sparc/ppc: sorry to bring you back, but ^^^^ openldap-2.1.30-r5: stable on ppc64 pam_ldap-178-r1: was never marked ppc64 in any way -> added ~ppc64 nss_ldap-239-r1: versions after 226 didn't compile, this one works again -> added ~ppc64 I'll mark those packages with ~ppc64 stable in 30 days, if no errors occur. Stable on SPARC amd64 stable GLSA is ready to go... hppa,x86: please test and mark stable pam_ldap-178-r1 and nss_ldap-239-r1 (or 226-r1) ppc: please test and mark stable nss_ldap-239-r1 (or 226-r1) ppc64 : we'll need it for the GLSA before the 30 days period, as current stable version is affected and the GLSA must go out. So please test and mark stable nss_ldap-239-r1 if you can. Stable on hppa and ppc. stable on x86 oh.. I didn't thought about that. nss_ldap-239-r1 is stable now on ppc64. sorry for the delay... Should be ready for GLSA GLSA 200507-13 (Removed misc arches tat did not have those packages keyworded anyway) |