SCIENTIFIC-LINUX-USERS Archives

July 2008

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: nss_ldap-253-5.el4.x86_64 broken
From:
Troy Dawson <[log in to unmask]>
Reply To:
Troy Dawson <[log in to unmask]>
Date:
Wed, 30 Jul 2008 09:29:57 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (87 lines) 
Looking into it.
Troy
Christopher Hunter wrote:
> FYI for any scilinux + LDAP users
> 
> Latest errata update for nss_ldap is missing file
> /lib64/security/pam_ldap.so
> 
> Ldap users are unable to authenticate on 64bit SL4 machines.
> 
> Our quickfix was to revert to nss_ldap-226-20 and add nss_ldap rpm
> package it to yum.excludes.
> 
> [log in to unmask]
> 
> 
>> Date:    Mon, 28 Jul 2008 16:21:02 -0500
>> From:    Troy Dawson <[log in to unmask]>
>> Subject: Security ERRATA for nss_ldap on SL4.x i386/x86_64
>>
>> Synopsis:     Low: nss_ldap security and bug fix update
>> Issue date:   2008-07-24
>> CVE Names:    CVE-2007-5794
>>
>> A race condition was discovered in nss_ldap, which affected certain
>> applications that make LDAP connections, such as Dovecot. This could cause
>> nss_ldap to answer a request for information about one user with the
>> information about a different user. (CVE-2007-5794)
>>
>> As well, this updated package fixes the following bugs:
>>
>> * in certain situations, on Itanium(R) architectures, when an application
>> performed an LDAP lookup for a highly populated group, for example,
>> containing more than 150 members, the application crashed, or may have
>> caused a segmentation fault. As well, this issue may have caused commands,
>> such as "ls", to return a "ber_free_buf: Assertion" error.
>>
>> * when an application enumerated members of a netgroup, the nss_ldap
>> module returned a successful status result and the netgroup name, even
>> when the netgroup did not exist. This behavior was not consistent with
>> other modules. In this updated package, nss_ldap no longer returns a
>> successful status when the netgroup does not exist.
>>
>> * in master and slave server environments, with systems that were
>> configured to use a read-only directory server, if user log in attempts
>> were denied because their passwords had expired, and users attempted to
>> immediately change their passwords, the replication server returned an LDAP
>> referral, instructing the pam_ldap module to resissue its request to a
>> different server; however, the pam_ldap module failed to do so. In these
>> situations, an error such as the following occurred:
>>
>> LDAP password information update failed: Can't contact LDAP server
>> Insufficient 'write' privilege to the 'userPassword' attribute of entry
>> [entry]
>>
>> In this updated package, password changes are allowed when binding against
>> a slave server, which resolves this issue.
>>
>> * when a system used a directory server for naming information, and
>> "nss_initgroups_ignoreusers root" was configured in "/etc/ldap.conf",
>> dbus-daemon-1 would hang. Running the "service messagebus start" command
>> did not start the service, and it did not fail, which would stop the boot
>> process if it was not cancelled.
>>
>> As well, this updated package upgrades nss_ldap to the version as shipped
>> with Scientific Linux 5.
>>
>> SL 4.x
>>
>>     SRPMS:
>> nss_ldap-253-5.el4.src.rpm
>>     i386:
>> nss_ldap-253-5.el4.i386.rpm
>>     x86_64:
>> nss_ldap-253-5.el4.i386.rpm
>> nss_ldap-253-5.el4.x86_64.rpm
>>
>> -Connie Sieh
>> -Troy Dawson


-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LCSI/CSI DSS Group
__________________________________________________

ATOM RSS1 RSS2