MDKSA-2006:201

Package name

pam_ldap

Date

2006-11-07

Advisory ID

MDKSA-2006:201

Affected versions

2006.0 i586 , 2007.0 x86_64 , 2007.0 i586 , CS4.0 i586 , CS4.0 x86_64 , 2006.0 x86_64

Problem description

Pam_ldap does not return an error condition when an LDAP directory
server responds with a PasswordPolicyResponse control response, which
causes the pam_authenticate function to return a success code even if
authentication has failed, as originally reported for xscreensaver.
This might lead to an attacker being able to login into a suspended
system account.

Updated packages have been patched to correct this issue.

Updated packages

2006.0 i586

 88544f487e0884831e8dca48d9420eca  2006.0/i586/pam_ldap-180-2.1.20060mdk.i586.rpm 
 2873ac0db22512131ad2f4a5d055e035  2006.0/SRPMS/pam_ldap-180-2.1.20060mdk.src.rpm

2007.0 x86_64

 079964ab75deaa3a8d723bc63c4e9be7  2007.0/x86_64/pam_ldap-180-4.1mdv2007.0.x86_64.rpm 
 3a747dcc317e95fdc9011c1dfc4254ef  2007.0/SRPMS/pam_ldap-180-4.1mdv2007.0.src.rpm

2007.0 i586

 338ecc4e0b69209b99f9ad317d6d2385  2007.0/i586/pam_ldap-180-4.1mdv2007.0.i586.rpm 
 3a747dcc317e95fdc9011c1dfc4254ef  2007.0/SRPMS/pam_ldap-180-4.1mdv2007.0.src.rpm

CS4.0 i586

 8e800885b38df7d3b566cea4934cdb24  corporate/4.0/i586/pam_ldap-180-3.1.20060mlcs4.i586.rpm 
 4abf9cd7b032153e407cf487968bc10a  corporate/4.0/SRPMS/pam_ldap-180-3.1.20060mlcs4.src.rpm

CS4.0 x86_64

 92a60cc8a2d16e7cb305a7665e39e696  corporate/4.0/x86_64/pam_ldap-180-3.1.20060mlcs4.x86_64.rpm 
 4abf9cd7b032153e407cf487968bc10a  corporate/4.0/SRPMS/pam_ldap-180-3.1.20060mlcs4.src.rpm

2006.0 x86_64

 4cdb139a35c0b877fccb62b344292133  2006.0/x86_64/pam_ldap-180-2.1.20060mdk.x86_64.rpm 
 2873ac0db22512131ad2f4a5d055e035  2006.0/SRPMS/pam_ldap-180-2.1.20060mdk.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5170