[Security Announce] [ MDKSA-2006:201 ] - Updated pam_ldap packages fix PasswordPolicyReponse coding error
Posted on: 11/08/2006 04:05 AM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:201
http://www.mandriva.com/security/
_______________________________________________________________________

Package : pam_ldap
Date : November 7, 2006
Affected: 2006.0, 2007.0, Corporate 4.0
_______________________________________________________________________

Problem Description:

Pam_ldap does not return an error condition when an LDAP directory
server responds with a PasswordPolicyResponse control response, which
causes the pam_authenticate function to return a success code even if
authentication has failed, as originally reported for xscreensaver.
This might lead to an attacker being able to login into a suspended
system account.

Updated packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5170
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
88544f487e0884831e8dca48d9420eca 2006.0/i586/pam_ldap-180-2.1.20060mdk.i586.rpm
2873ac0db22512131ad2f4a5d055e035 2006.0/SRPMS/pam_ldap-180-2.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
4cdb139a35c0b877fccb62b344292133 2006.0/x86_64/pam_ldap-180-2.1.20060mdk.x86_64.rpm
2873ac0db22512131ad2f4a5d055e035 2006.0/SRPMS/pam_ldap-180-2.1.20060mdk.src.rpm

Mandriva Linux 2007.0:
338ecc4e0b69209b99f9ad317d6d2385 2007.0/i586/pam_ldap-180-4.1mdv2007.0.i586.rpm
3a747dcc317e95fdc9011c1dfc4254ef 2007.0/SRPMS/pam_ldap-180-4.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
079964ab75deaa3a8d723bc63c4e9be7 2007.0/x86_64/pam_ldap-180-4.1mdv2007.0.x86_64.rpm
3a747dcc317e95fdc9011c1dfc4254ef 2007.0/SRPMS/pam_ldap-180-4.1mdv2007.0.src.rpm

Corporate 4.0:
8e800885b38df7d3b566cea4934cdb24 corporate/4.0/i586/pam_ldap-180-3.1.20060mlcs4.i586.rpm
4abf9cd7b032153e407cf487968bc10a corporate/4.0/SRPMS/pam_ldap-180-3.1.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
92a60cc8a2d16e7cb305a7665e39e696 corporate/4.0/x86_64/pam_ldap-180-3.1.20060mlcs4.x86_64.rpm
4abf9cd7b032153e407cf487968bc10a corporate/4.0/SRPMS/pam_ldap-180-3.1.20060mlcs4.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFURi4mqjQ0CJFipgRAv+AAJ9X0lbBUIA1pFc3IbMFw2/ob60zIACfQSN3
HXWy3ifc4tvQC0XYyy4M2f0=
äuj
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2006201__updated_pam_ldap_packages_fix_passwordpolicyreponse_coding_error.html)