Gentoo Archives: gentoo-announce

From: Pierre-Yves Rofes <py@g.o>
To: gentoo-announce@l.g.o
Cc: full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200711-33 ] nss_ldap: Information disclosure
Date: Sun, 25 Nov 2007 21:59:18
Message-Id: 4749EC9C.6010105@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200711-33
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: Low
11 Title: nss_ldap: Information disclosure
12 Date: November 25, 2007
13 Bugs: #198390
14 ID: 200711-33
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 A race condition might lead to theft of user credentials or information
22 disclosure in services using nss_ldap.
23
24 Background
25 ==========
26
27 nss_ldap is a Name Service Switch module which allows 'passwd', 'group'
28 and 'host' database information to be pulled from LDAP.
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Package / Vulnerable / Unaffected
35 -------------------------------------------------------------------
36 1 sys-auth/nss_ldap < 258 >= 258
37
38 Description
39 ===========
40
41 Josh Burley reported that nss_ldap does not properly handle the LDAP
42 connections due to a race condition that can be triggered by
43 multi-threaded applications using nss_ldap, which might lead to
44 requested data being returned to a wrong process.
45
46 Impact
47 ======
48
49 Remote attackers could exploit this race condition by sending queries
50 to a vulnerable server using nss_ldap, possibly leading to theft of
51 user credentials or information disclosure (e.g. Dovecot returning
52 wrong mailbox contents).
53
54 Workaround
55 ==========
56
57 There is no known workaround at this time.
58
59 Resolution
60 ==========
61
62 All nss_ldap users should upgrade to the latest version:
63
64 # emerge --sync
65 # emerge --ask --oneshot --verbose ">=sys-auth/nss_ldap-258"
66
67 References
68 ==========
69
70 [ 1 ] CVE-2007-5794
71 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794
72
73 Availability
74 ============
75
76 This GLSA and any updates to it are available for viewing at
77 the Gentoo Security Website:
78
79 http://security.gentoo.org/glsa/glsa-200711-33.xml
80
81 Concerns?
82 =========
83
84 Security is a primary focus of Gentoo Linux and ensuring the
85 confidentiality and security of our users machines is of utmost
86 importance to us. Any security concerns should be addressed to
87 security@g.o or alternatively, you may file a bug at
88 http://bugs.gentoo.org.
89
90 License
91 =======
92
93 Copyright 2007 Gentoo Foundation, Inc; referenced text
94 belongs to its owner(s).
95
96 The contents of this document are licensed under the
97 Creative Commons - Attribution / Share Alike license.
98
99 http://creativecommons.org/licenses/by-sa/2.5
100 -----BEGIN PGP SIGNATURE-----
101 Version: GnuPG v1.4.7 (GNU/Linux)
102 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
103
104 iD8DBQFHSeycuhJ+ozIKI5gRAjvwAKCc3Et4rezJasP3RT7sWY+pHyShwACfVwbg
105 67oYKwgTwEYBnnY/v5ZQ5zw=
106 =TEDE
107 -----END PGP SIGNATURE-----
108 --
109 gentoo-announce@g.o mailing list