LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

July 2008

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA July 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security ERRATA for nss_ldap on SL4.x i386/x86_64
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Wed, 30 Jul 2008 15:31:11 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (87 lines)

We had a compiling problem on the x86_64 rpm.  It has been fixed and is working 
now.  Both the x86_64 and i386 rpm's have been rebuilt with the new name to 
keep consistency.
No code has been changed.  The rpm's were only recompiled.

SL 4.x

     SRPMS:
nss_ldap-253-5.sl4.1.src.rpm
     i386:
nss_ldap-253-5.sl4.1.i386.rpm
     x86_64:
nss_ldap-253-5.sl4.1.i386.rpm
nss_ldap-253-5.sl4.1.x86_64.rpm

Troy

Troy Dawson wrote:
> Synopsis:       Low: nss_ldap security and bug fix update
> Issue date:     2008-07-24
> CVE Names:      CVE-2007-5794
> 
> A race condition was discovered in nss_ldap, which affected certain
> applications that make LDAP connections, such as Dovecot. This could cause
> nss_ldap to answer a request for information about one user with the
> information about a different user. (CVE-2007-5794)
> 
> As well, this updated package fixes the following bugs:
> 
> * in certain situations, on Itanium(R) architectures, when an application
> performed an LDAP lookup for a highly populated group, for example,
> containing more than 150 members, the application crashed, or may have
> caused a segmentation fault. As well, this issue may have caused commands,
> such as "ls", to return a "ber_free_buf: Assertion" error.
> 
> * when an application enumerated members of a netgroup, the nss_ldap
> module returned a successful status result and the netgroup name, even
> when the netgroup did not exist. This behavior was not consistent with
> other modules. In this updated package, nss_ldap no longer returns a
> successful status when the netgroup does not exist.
> 
> * in master and slave server environments, with systems that were
> configured to use a read-only directory server, if user log in attempts
> were denied because their passwords had expired, and users attempted to
> immediately change their passwords, the replication server returned an LDAP
> referral, instructing the pam_ldap module to resissue its request to a
> different server; however, the pam_ldap module failed to do so. In these
> situations, an error such as the following occurred:
> 
> LDAP password information update failed: Can't contact LDAP server
> Insufficient 'write' privilege to the 'userPassword' attribute of entry
> [entry]
> 
> In this updated package, password changes are allowed when binding against
> a slave server, which resolves this issue.
> 
> * when a system used a directory server for naming information, and
> "nss_initgroups_ignoreusers root" was configured in "/etc/ldap.conf",
> dbus-daemon-1 would hang. Running the "service messagebus start" command
> did not start the service, and it did not fail, which would stop the boot
> process if it was not cancelled.
> 
> As well, this updated package upgrades nss_ldap to the version as shipped
> with Scientific Linux 5.
> 
> SL 4.x
> 
>     SRPMS:
> nss_ldap-253-5.el4.src.rpm
>     i386:
> nss_ldap-253-5.el4.i386.rpm
>     x86_64:
> nss_ldap-253-5.el4.i386.rpm
> nss_ldap-253-5.el4.x86_64.rpm
> 
> -Connie Sieh
> -Troy Dawson
> 
> 


-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LCSI/CSI DSS Group
__________________________________________________

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV