Rapid7 Vulnerability & Exploit Database

CESA-2006:0719: nss_ldap security update

Back to Search

CESA-2006:0719: nss_ldap security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
10/10/2006
Created
07/25/2018
Added
03/12/2010
Modified
07/04/2017

Description

Updated nss_ldap packages that fix a security flaw are now available for CentOS Linux 4. This update has been rated as having moderate security impact by the CentOS Security Response Team.

nss_ldap is a set of C library extensions that allow X.500 and LDAP directory servers to be used as primary sources for aliases, ethers, groups, hosts, networks, protocols, users, RPCs, services, and shadow passwords. A flaw was found in the way nss_ldap handled a PasswordPolicyResponse control sent by an LDAP server. If an LDAP server responded to an authentication request with a PasswordPolicyResponse control, it was possible for an application using nss_ldap to improperly authenticate certain users. (CVE-2006-5170) This flaw was only exploitable within applications which did not properly process nss_ldap error messages. Only xscreensaver is currently known to exhibit this behavior. All users of nss_ldap should upgrade to these updated packages, which contain a backported patch that resolves this issue.

Solution(s)

  • centos-upgrade-nss_ldap

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;