Rapid7 Vulnerability & Exploit Database

RHSA-2002:084: Updated nss_ldap packages fix pam_ldap vulnerability

Back to Search

RHSA-2002:084: Updated nss_ldap packages fix pam_ldap vulnerability

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
05/29/2002
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated nss_ldap packages are now available for Red Hat Linux 6.2, 7, 7.1, 7.2, and 7.3. These packages fix a string format vulnerability in the pam_ldap module. [Update Jun 4, 2002] Replacement packages have been added for Red Hat Linux 6.2. The previous packages could not be installed with the version of RPM that shipped with Red Hat Linux 6.2

The pam_ldap module provides authentication for user access to a system by consulting a directory using LDAP. Versions of pam_ldap prior to version 144 include a format string bug in the logging function. The packages included in this erratum update pam_ldap to version 144, fixing this bug. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0374 to this issue. Due to differences in the default behavior of the pam_ldap module when performing account management, the version of authconfig included in Red Rat Linux 7.2 generates incorrect /etc/pam.d/system-auth files for the version of pam_ldap included in this erratum. Thus, an updated version of authconfig for Red Hat Linux 7.2 is included in this erratum (versions of authconfig included with Red Hat Linux 7, 7.1, and 7.3 are not affected). Our thanks go to the pam_ldap team at padl.com for bringing this to our attention. A previous revision of this erratum included packages which could not be installed with the version of RPM included with Red Hat Linux 6.2. While they can be installed with versions of RPM which have been released as errata for Red Hat Linux 6.2, this revision includes packages which remove this restriction. Packages for Red Hat Linux 7, 7.1, 7.2, and 7.3 have not been modified.

Solution(s)

  • redhat-upgrade-authconfig
  • redhat-upgrade-nss_ldap

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;