Updated nss_ldap packages are now available for Red Hat Linux 6.2, 7, 7.1, 7.2, and 7.3. These packages fix a string format vulnerability in the pam_ldap module. [Update Jun 4, 2002] Replacement packages have been added for Red Hat Linux 6.2. The previous packages could not be installed with the version of RPM that shipped with Red Hat Linux 6.2
The pam_ldap module provides authentication for user access to a system by consulting a directory using LDAP. Versions of pam_ldap prior to version 144 include a format string bug in the logging function. The packages included in this erratum update pam_ldap to version 144, fixing this bug. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0374 to this issue. Due to differences in the default behavior of the pam_ldap module when performing account management, the version of authconfig included in Red Rat Linux 7.2 generates incorrect /etc/pam.d/system-auth files for the version of pam_ldap included in this erratum. Thus, an updated version of authconfig for Red Hat Linux 7.2 is included in this erratum (versions of authconfig included with Red Hat Linux 7, 7.1, and 7.3 are not affected). Our thanks go to the pam_ldap team at padl.com for bringing this to our attention. A previous revision of this erratum included packages which could not be installed with the version of RPM included with Red Hat Linux 6.2. While they can be installed with versions of RPM which have been released as errata for Red Hat Linux 6.2, this revision includes packages which remove this restriction. Packages for Red Hat Linux 7, 7.1, 7.2, and 7.3 have not been modified.