pam_ldap will send credentials in plaintext if a slave ldap server refers it to a master server during a password change operation. The ldap.conf "ssl start_tls" setting is not enforced on referrals (and openldap doesn't currently allow it due to a bug).
Worst case is that server admins are not enforcing tls server-side, in which case passwd will appear to work fine, but will be sending stuff over the wire in plaintext.
Two patches are needed to fix this, one for pam_ldap to request tls on referrals, and one for openldap to accept the request.
setting upstream as fixes have been filed in the relevant bug systems.
Cleaning up :)
Can we please being carrying this patch in the ebuilds? Upstream aren't
responding and this is a serious issue.
adding robbat2 as this needs openldap lovin as well.
pam_ldap and OpenLDAP, when connecting to a slave using TLS, does not
use TLS for the subsequent connection if the client is referred to a
master, which causes a password to be sent in cleartext and allows
remote attackers to sniff the password.
Robin: please patch (or comment)
could security please check the code in nss_ldap as well, as it shares code
with pam_ldap last I checked, and thus may be vulnerable to the same problem.
pam_ldap is patched now.
both 176-r1 and 178-r1 have the patch.
Could arches please test 178-r1, and if it works, stable it. If it doesn't
work, try 176-r1 instead.
openldap is patched now.
2.1.30-r5 and 2.2.27-r1 have the patch.
2.1.30-r5 is the ebuild that should go stable.
2.2.27-r1 (and the 2.2 series in general) will be considered for stable in 30
Updating the package name :)
Dear arches, please test sys-auth/pam_ldap-178-r1 and mark stable if possible
(if it fails, try 176-r1).
Please also try to mark openldap-2.1.30-r5 stable, thanks.
good call wrt nss_ldap. untested patch follows. if there are problems I'll try
to fix first thing tomorrow.
Created attachment 62564 [details, diff]
tls patch for referrals for nss_ldap
pam_ldap/nss_ldap ebuilds which have the tls problem fixed must DEPEND on
openldap ebuilds with the revelent library fix, otherwise they won't function.
Well nss_ldap doesn't performs updates, so I don't think it's affected by this issue.
Ok as rob pointed out referrals are used not only for updates but for subtrees as well...so ignore me ;)
lcars: any reason to clear our precious status whiteboard ?
Sorry :/ blame /usr/bin/links. I'll be more careful in the future (but honestly it
was impossible to spot without a post-commit review). links--
pam_ldap-178-r1 and and openldap-2.1.30-r5 stable on sparc.
Stable on ppc.
ok, nss_ldap is patched as well now. Hopefully there is nothing else affected by
this bug. sorry about the delay.
please test nss_ldap-239-r1 first, but if that doesn't work, test 226-r1 instead.
sparc/ppc: sorry to bring you back, but ^^^^
openldap-2.1.30-r5: stable on ppc64
pam_ldap-178-r1: was never marked ppc64 in any way -> added ~ppc64
nss_ldap-239-r1: versions after 226 didn't compile, this one works again ->
I'll mark those packages with ~ppc64 stable in 30 days, if no errors occur.
Stable on SPARC
GLSA is ready to go...
hppa,x86: please test and mark stable pam_ldap-178-r1 and nss_ldap-239-r1 (or
ppc: please test and mark stable nss_ldap-239-r1 (or 226-r1)
ppc64 : we'll need it for the GLSA before the 30 days period, as current stable
version is affected and the GLSA must go out. So please test and mark stable
nss_ldap-239-r1 if you can.
Stable on hppa and ppc.
stable on x86
oh.. I didn't thought about that. nss_ldap-239-r1 is stable now on ppc64. sorry
for the delay...
Should be ready for GLSA
(Removed misc arches tat did not have those packages keyworded anyway)