Home page logo
/

bugtraq logo Bugtraq mailing list archives

Security Update: [CSSA-2002-041.0] Linux: pam_ldap format string vulnerability
From: security () caldera com
Date: Mon, 28 Oct 2002 16:51:37 -0800

To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com full-disclosure () 
lists netsys com

______________________________________________________________________________

                        SCO Security Advisory

Subject:                Linux: pam_ldap format string vulnerability
Advisory number:        CSSA-2002-041.0
Issue date:             2002 October 28
Cross reference:
______________________________________________________________________________


1. Problem Description

        The pam_ldap module provides authentication for user access
        to a system by consulting a directory using LDAP. Versions of
        pam_ldap prior to version 144 include a format string bug in
        the logging function.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------

        OpenLinux 3.1.1 Server          prior to pam_ldap-144-1.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to pam_ldap-144-1.i386.rpm

        OpenLinux 3.1 Server            prior to pam_ldap-144-1.i386.rpm

        OpenLinux 3.1 Workstation       prior to pam_ldap-144-1.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-041.0/RPMS

        4.2 Packages

        8e772565f5fd9933c938cbc7a4a9f229        pam_ldap-144-1.i386.rpm

        4.3 Installation

        rpm -Fvh pam_ldap-144-1.i386.rpm

        4.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-041.0/SRPMS

        4.5 Source Packages

        46faba5e7af087eccd984e8a68e6068a        pam_ldap-144-1.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-041.0/RPMS

        5.2 Packages

        732acb91b620f591e5036dc5117362c6        pam_ldap-144-1.i386.rpm

        5.3 Installation

        rpm -Fvh pam_ldap-144-1.i386.rpm

        5.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-041.0/SRPMS

        5.5 Source Packages

        ac6da0b1c041f42bc5afdfbb13d50750        pam_ldap-144-1.src.rpm


6. OpenLinux 3.1 Server

        6.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-041.0/RPMS

        6.2 Packages

        37d60b62162ddf3f044d0c5533d83e05        pam_ldap-144-1.i386.rpm

        6.3 Installation

        rpm -Fvh pam_ldap-144-1.i386.rpm

        6.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-041.0/SRPMS

        6.5 Source Packages

        2a2b18ef2cf09c944dee12cb2169ca20        pam_ldap-144-1.src.rpm


7. OpenLinux 3.1 Workstation

        7.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-041.0/RPMS

        7.2 Packages

        ea457e8e6c356e688ec547d59652b812        pam_ldap-144-1.i386.rpm

        7.3 Installation

        rpm -Fvh pam_ldap-144-1.i386.rpm

        7.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-041.0/SRPMS

        7.5 Source Packages

        a39531e06057bbaaed603cb4150ca6a3        pam_ldap-144-1.src.rpm


8. References

        Specific references for this advisory:
                http://www.padl.com/OSS/pam_ldap.html
                http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0053.html
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0374


        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr865994, fz521320,
        erg501620.


9. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


10. Acknowledgements

        The pam_ldap team at padl.com discovered and researched this
        vulnerability.

______________________________________________________________________________

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
  • Security Update: [CSSA-2002-041.0] Linux: pam_ldap format string vulnerability security (Oct 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault