DSA 844-1: New mod-auth-shadow packages fix authentication bypass
Posted on: 10/05/2005 03:22 AM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 844-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
October 5th, 2005 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : mod-auth-shadow
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE ID : CAN-2005-2963
Debian Bug : 323789

A vulnerability in mod_auth_shadow, an Apache module that lets users
perform HTTP authentication against /etc/shadow, has been discovered.
The module runs for all locations that use the 'require group'
directive which would bypass access restrictions controlled by another
authorisation mechanism, such as AuthGroupFile file, if the username
is listed in the password file and in the gshadow file in the proper
group and the supplied password matches against the one in the shadow
file.

This update requires an explicit "AuthShadow on" statement if website
authentication should be checked against /etc/shadow.

For the old stable distribution (woody) this problem has been fixed in
version 1.3-3.1woody.2.

For the stable distribution (sarge) this problem has been fixed in
version 1.4-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 1.4-2.

We recommend that you upgrade your libapache-mod-auth-shadow package.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.2.dsc
Size/MD5 checksum: 628 78a6276d158c96247f87c2a82ad337c9
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.2.diff.gz
Size/MD5 checksum: 5818 e57059b3d026f4490e83ef48e7c64551
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3.orig.tar.gz
Size/MD5 checksum: 7476 3ad4432193ac603049ad0f2fa94f2054

Alpha architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_alpha.deb
Size/MD5 checksum: 12204 4f659abcf88fe710a35c09a24f6294d4

ARM architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_arm.deb
Size/MD5 checksum: 11306 ed1b93be804e3233000e7bc9951ee836

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_i386.deb
Size/MD5 checksum: 11334 a384bb22d08d3d8ad2ee76803517866f

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_ia64.deb
Size/MD5 checksum: 13488 63798f86c1cd944d5f635890b1ae7edb

HP Precision architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_hppa.deb
Size/MD5 checksum: 12048 cea187ef3898639b248c9b6f8b36e7a0

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_m68k.deb
Size/MD5 checksum: 11302 8887098ee92b1be61470b8a00ac72df9

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_mips.deb
Size/MD5 checksum: 11466 9846f15f1c98a3cbb01b12d8e8563d93

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_mipsel.deb
Size/MD5 checksum: 11458 d2ae47a2320ef6a8b45aa2354c9eebe9

PowerPC architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_powerpc.deb
Size/MD5 checksum: 11372 1ce0c98e16ea699726c0e45b98de5ec6

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_s390.deb
Size/MD5 checksum: 11516 e92c004036842d0f6f79b0e5d9f64455

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_sparc.deb
Size/MD5 checksum: 14484 524248ef32be0bffef4dcc147eece09b


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4-1sarge1.dsc
Size/MD5 checksum: 618 8a413e53ca39d904d95dccd1b0705693
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4-1sarge1.diff.gz
Size/MD5 checksum: 5816 4b010699db55a2c3446e71cc4af6e167
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4.orig.tar.gz
Size/MD5 checksum: 7982 7da6ea1d72640c334fefab4e078eadd4

Alpha architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_alpha.deb
Size/MD5 checksum: 13462 9a035f44ccbfec2ddedeb97ba25de685

AMD64 architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_amd64.deb
Size/MD5 checksum: 12978 ffdd9eab120efbd6ad58befb069ead8d

ARM architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_arm.deb
Size/MD5 checksum: 12332 20edffd17e6cfed8bf60d50f0cf918da

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_i386.deb
Size/MD5 checksum: 12426 7e27802cc15e0478e06f00cff72c4133

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_ia64.deb
Size/MD5 checksum: 14444 b1a34f75958df70ee4566445ceb80a26

HP Precision architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_hppa.deb
Size/MD5 checksum: 13602 448068ac275fe81e7ba0d997b8bc3566

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_m68k.deb
Size/MD5 checksum: 12258 ae4ef5bdca2baaeb0067cf908e57ac09

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_mips.deb
Size/MD5 checksum: 13238 e0a0f68fb3a164bc80607ba974a05f3d

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_mipsel.deb
Size/MD5 checksum: 13248 24218030e050490cbe0578474ec46403

PowerPC architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_powerpc.deb
Size/MD5 checksum: 14120 85d7a92000946e11db7ae213960c4927

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_s390.deb
Size/MD5 checksum: 12964 46951fcacb6c99c779e31c7aa21d8bf3

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_sparc.deb
Size/MD5 checksum: 12300 e05d59189d387427c9017180631aeba4


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDQ5unW5ql+IAeqTIRAs+2AJ9lZmcpDasrDXY+dq195W7gdvJSRgCggXNF
JL5rdx9NuQ2DbdQkwVc1acM=
=kiFO
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_844_1_new_mod_auth_shadow_packages_fix_authentication_bypass.html)