Security Update: [CSSA-2002-024.0] Volution Manager: Directory Administrator password in cleartext

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com


______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		Volution Manager: Directory Administrator password in cleartext
Advisory number: 	CSSA-2002-024.0
Issue date: 		2002 June 3
Cross reference:
______________________________________________________________________________


1. Problem Description

	Volution Manager stores the unencrypted Directory
	Administrator's password in the /etc/ldap/slapd.conf file.

	This vulnerability will be corrected in the next release of
	Volution Manager.


2. Vulnerable Supported Versions


	System				Package
	----------------------------------------------------------------------
	Volution Manager 1.1		Standard


3. Solution

	Volution Manager stores the un-encrypted Directory
	Administrator's password in the /etc/ldap/slapd.conf file.
	The password line looks similar to this:

		rootpw		<clear_text_password>

	Caldera strongly recommends that you encrypt this password,
	using the following steps:

	As the root user, run slappasswd, entering your desired
	password at the prompts (the example uses newpasswd as the new
	password; the password will not be seen as you type it).

	# slappasswd
	New password: newpasswd
	Re-enter new password: newpasswd
	{SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz
	#

	The output is the new, encrypted password. In the file
	/etc/ldap/slapd.conf, replace the previous rootpw line with a
	line containing the new, encrypted password so that the line
	looks similar to this:

		rootpw		{SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz


4. References

	Specific references for this advisory:
		none

	Caldera OpenLinux security resources:
		http://www.caldera.com/support/security/index.html

	Caldera UNIX security resources:
		http://stage.caldera.com/support/security/

	This security advisory closes Caldera incidents sr864231,
	erg501574.



5. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on this website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera products.

______________________________________________________________________________

Attachment: pgp00146.pgp
Description: PGP signature

[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux