pam_ldap will send credentials in plaintext if a slave ldap server refers it to a master server during a password change operation. The ldap.conf "ssl start_tls" setting is not enforced on referrals (and openldap doesn't currently allow it due to a bug). Worst case is that server admins are not enforcing tls server-side, in which case passwd will appear to work fine, but will be sending stuff over the wire in plaintext. Two patches are needed to fix this, one for pam_ldap to request tls on referrals, and one for openldap to accept the request. http://bugzilla.padl.com/show_bug.cgi?id=210 http://www.openldap.org/its/index.cgi/Incoming?id=3791
setting upstream as fixes have been filed in the relevant bug systems.
Cleaning up :)
Can we please being carrying this patch in the ebuilds? Upstream aren't responding and this is a serious issue.
s/being/begin/ :) adding robbat2 as this needs openldap lovin as well.
====================================================== Candidate: CAN-2005-2069 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069 Reference: MISC:http://www.openldap.org/its/index.cgi/Incoming?id=3791 Reference: MISC:http://bugzilla.padl.com/show_bug.cgi?id=210 Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161990 pam_ldap and OpenLDAP, when connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which causes a password to be sent in cleartext and allows remote attackers to sniff the password. ====================================================== Robin: please patch (or comment)
could security please check the code in nss_ldap as well, as it shares code with pam_ldap last I checked, and thus may be vulnerable to the same problem.
pam_ldap is patched now. both 176-r1 and 178-r1 have the patch. Could arches please test 178-r1, and if it works, stable it. If it doesn't work, try 176-r1 instead.
openldap is patched now. 2.1.30-r5 and 2.2.27-r1 have the patch. 2.1.30-r5 is the ebuild that should go stable. 2.2.27-r1 (and the 2.2 series in general) will be considered for stable in 30 days).
Updating the package name :)
Dear arches, please test sys-auth/pam_ldap-178-r1 and mark stable if possible (if it fails, try 176-r1). Please also try to mark openldap-2.1.30-r5 stable, thanks.
good call wrt nss_ldap. untested patch follows. if there are problems I'll try to fix first thing tomorrow.
Created attachment 62564 [details, diff] tls patch for referrals for nss_ldap
pam_ldap/nss_ldap ebuilds which have the tls problem fixed must DEPEND on openldap ebuilds with the revelent library fix, otherwise they won't function.
Well nss_ldap doesn't performs updates, so I don't think it's affected by this issue.
Ok as rob pointed out referrals are used not only for updates but for subtrees as well...so ignore me ;)
lcars: any reason to clear our precious status whiteboard ?
Sorry :/ blame /usr/bin/links. I'll be more careful in the future (but honestly it was impossible to spot without a post-commit review). links--
pam_ldap-178-r1 and and openldap-2.1.30-r5 stable on sparc.
Stable on ppc.
ok, nss_ldap is patched as well now. Hopefully there is nothing else affected by this bug. sorry about the delay. arches: please test nss_ldap-239-r1 first, but if that doesn't work, test 226-r1 instead. sparc/ppc: sorry to bring you back, but ^^^^
openldap-2.1.30-r5: stable on ppc64 pam_ldap-178-r1: was never marked ppc64 in any way -> added ~ppc64 nss_ldap-239-r1: versions after 226 didn't compile, this one works again -> added ~ppc64 I'll mark those packages with ~ppc64 stable in 30 days, if no errors occur.
Stable on SPARC
amd64 stable
GLSA is ready to go... hppa,x86: please test and mark stable pam_ldap-178-r1 and nss_ldap-239-r1 (or 226-r1) ppc: please test and mark stable nss_ldap-239-r1 (or 226-r1) ppc64 : we'll need it for the GLSA before the 30 days period, as current stable version is affected and the GLSA must go out. So please test and mark stable nss_ldap-239-r1 if you can.
Stable on hppa and ppc.
stable on x86
oh.. I didn't thought about that. nss_ldap-239-r1 is stable now on ppc64. sorry for the delay...
Should be ready for GLSA
GLSA 200507-13 (Removed misc arches tat did not have those packages keyworded anyway)