-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:201 http://www.mandriva.com/security/ _______________________________________________________________________ Package : pam_ldap Date : November 7, 2006 Affected: 2006.0, 2007.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Pam_ldap does not return an error condition when an LDAP directory server responds with a PasswordPolicyResponse control response, which causes the pam_authenticate function to return a success code even if authentication has failed, as originally reported for xscreensaver. This might lead to an attacker being able to login into a suspended system account. Updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5170 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 88544f487e0884831e8dca48d9420eca 2006.0/i586/pam_ldap-180-2.1.20060mdk.i586.rpm 2873ac0db22512131ad2f4a5d055e035 2006.0/SRPMS/pam_ldap-180-2.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 4cdb139a35c0b877fccb62b344292133 2006.0/x86_64/pam_ldap-180-2.1.20060mdk.x86_64.rpm 2873ac0db22512131ad2f4a5d055e035 2006.0/SRPMS/pam_ldap-180-2.1.20060mdk.src.rpm Mandriva Linux 2007.0: 338ecc4e0b69209b99f9ad317d6d2385 2007.0/i586/pam_ldap-180-4.1mdv2007.0.i586.rpm 3a747dcc317e95fdc9011c1dfc4254ef 2007.0/SRPMS/pam_ldap-180-4.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 079964ab75deaa3a8d723bc63c4e9be7 2007.0/x86_64/pam_ldap-180-4.1mdv2007.0.x86_64.rpm 3a747dcc317e95fdc9011c1dfc4254ef 2007.0/SRPMS/pam_ldap-180-4.1mdv2007.0.src.rpm Corporate 4.0: 8e800885b38df7d3b566cea4934cdb24 corporate/4.0/i586/pam_ldap-180-3.1.20060mlcs4.i586.rpm 4abf9cd7b032153e407cf487968bc10a corporate/4.0/SRPMS/pam_ldap-180-3.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 92a60cc8a2d16e7cb305a7665e39e696 corporate/4.0/x86_64/pam_ldap-180-3.1.20060mlcs4.x86_64.rpm 4abf9cd7b032153e407cf487968bc10a corporate/4.0/SRPMS/pam_ldap-180-3.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFURi4mqjQ0CJFipgRAv+AAJ9X0lbBUIA1pFc3IbMFw2/ob60zIACfQSN3 HXWy3ifc4tvQC0XYyy4M2f0= =E4uj -----END PGP SIGNATURE-----
