OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
security_at_caldera.com
Date: Mon Oct 28 2002 - 18:51:37 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: bugtraqsecurityfocus.com announcelists.caldera.com security-alertslinuxsecurity.com full-disclosurelists.netsys.com

    ______________________________________________________________________________

                            SCO Security Advisory

    Subject: Linux: pam_ldap format string vulnerability
    Advisory number: CSSA-2002-041.0
    Issue date: 2002 October 28
    Cross reference:
    ______________________________________________________________________________

    1. Problem Description

            The pam_ldap module provides authentication for user access
            to a system by consulting a directory using LDAP. Versions of
            pam_ldap prior to version 144 include a format string bug in
            the logging function.

    2. Vulnerable Supported Versions

            System Package
            ----------------------------------------------------------------------

            OpenLinux 3.1.1 Server prior to pam_ldap-144-1.i386.rpm

            OpenLinux 3.1.1 Workstation prior to pam_ldap-144-1.i386.rpm

            OpenLinux 3.1 Server prior to pam_ldap-144-1.i386.rpm

            OpenLinux 3.1 Workstation prior to pam_ldap-144-1.i386.rpm

    3. Solution

            The proper solution is to install the latest packages. Many
            customers find it easier to use the Caldera System Updater, called
            cupdate (or kcupdate under the KDE environment), to update these
            packages rather than downloading and installing them by hand.

    4. OpenLinux 3.1.1 Server

            4.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-041.0/RPMS

            4.2 Packages

            8e772565f5fd9933c938cbc7a4a9f229 pam_ldap-144-1.i386.rpm

            4.3 Installation

            rpm -Fvh pam_ldap-144-1.i386.rpm

            4.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-041.0/SRPMS

            4.5 Source Packages

            46faba5e7af087eccd984e8a68e6068a pam_ldap-144-1.src.rpm

    5. OpenLinux 3.1.1 Workstation

            5.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-041.0/RPMS

            5.2 Packages

            732acb91b620f591e5036dc5117362c6 pam_ldap-144-1.i386.rpm

            5.3 Installation

            rpm -Fvh pam_ldap-144-1.i386.rpm

            5.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-041.0/SRPMS

            5.5 Source Packages

            ac6da0b1c041f42bc5afdfbb13d50750 pam_ldap-144-1.src.rpm

    6. OpenLinux 3.1 Server

            6.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-041.0/RPMS

            6.2 Packages

            37d60b62162ddf3f044d0c5533d83e05 pam_ldap-144-1.i386.rpm

            6.3 Installation

            rpm -Fvh pam_ldap-144-1.i386.rpm

            6.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-041.0/SRPMS

            6.5 Source Packages

            2a2b18ef2cf09c944dee12cb2169ca20 pam_ldap-144-1.src.rpm

    7. OpenLinux 3.1 Workstation

            7.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-041.0/RPMS

            7.2 Packages

            ea457e8e6c356e688ec547d59652b812 pam_ldap-144-1.i386.rpm

            7.3 Installation

            rpm -Fvh pam_ldap-144-1.i386.rpm

            7.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-041.0/SRPMS

            7.5 Source Packages

            a39531e06057bbaaed603cb4150ca6a3 pam_ldap-144-1.src.rpm

    8. References

            Specific references for this advisory:
                    http://www.padl.com/OSS/pam_ldap.html
                    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0053.html
                    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0374

            SCO security resources:
                    http://www.sco.com/support/security/index.html

            This security fix closes SCO incidents sr865994, fz521320,
            erg501620.

    9. Disclaimer

            SCO is not responsible for the misuse of any of the information
            we provide on this website and/or through our security
            advisories. Our advisories are a service to our customers intended
            to promote secure installation and use of SCO products.

    10. Acknowledgements

            The pam_ldap team at padl.com discovered and researched this
            vulnerability.

    ______________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (SCO_SV)
    Comment: For info see http://www.gnupg.org

    iEYEARECAAYFAj2925kACgkQbluZssSXDTF2OACcDbKH5N5cES6AXUpdqLxrWVCY
    VCoAoNecMF/KOffYwjhanIZch6hWVxfd
    =mlQO
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html