-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2005-86
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------
Original released date: 29 Aug 2005
Last revised: 29 Aug 2005
Package: nss_ldap
Summary: Password leak
More information:
The nss_ldap is a set of C library extensions which allows X.500 and LDAP
directory servers to be used as a primary source of aliases, ethers,
groups, hosts, networks, protocol, users, RPCs, services and shadow
passwords (instead of or in addition to using flat files or NIS).
The pam_ldap and nss_ldap would not use TLS for referred connections
if they are referred to a master after connecting to a slave.
Impact:
The pam_ldap and nss_ldap may cause a password to be sent in cleartext and
allows remote attackers to sniff the password.
Affected Products:
- Turbolinux 10 Server
- Turbolinux Home
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux Multimedia
- Turbolinux Personal
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
[Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F...,
Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal]
# turbopkg
or
# zabom -u nss_ldap
[other]
# turbopkg
or
# zabom update nss_ldap
---------------------------------------------
<Turbolinux 10 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/nss_ldap-209-2.src.rpm
226968 c85c3be40324b73654a0ed2eb3d7533c
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/nss_ldap-209-2.i586.rpm
77229 e1f5ffc41a49b077adeb9bc2b3b72a34
<Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/nss_ldap-209-2.src.rpm
226968 4e4213a6741b85eb547d524956cad20c
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/nss_ldap-209-2.i586.rpm
77071 06287205b2d06c7551c56e91ef4748d2
<Turbolinux 8 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/nss_ldap-202-3.src.rpm
199582 fc26c54ff2558cd93532bf2c59b653d2
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/nss_ldap-202-3.i586.rpm
79356 56bc1beb223b5d7b1bae6d26ad0d92fe
<Turbolinux 8 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/nss_ldap-202-3.src.rpm
199582 582b891468b11143d1cc9e4c95e5d81e
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/nss_ldap-202-3.i586.rpm
79366 1375db1b32581d21850d3f3970b67e14
<Turbolinux 7 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/nss_ldap-202-3.src.rpm
199582 59ed7aa5913cf47bd810b8e8adc308f2
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/nss_ldap-202-3.i586.rpm
78955 3a4d36320552b164880999760532d197
<Turbolinux 7 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/nss_ldap-202-3.src.rpm
199582 614d011a344583f6f1c9d20ea4b5eb01
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/nss_ldap-202-3.i586.rpm
79024 f9e45874b4b02185bd362bece4ecec54
References:
CVE
[
CAN-2005-2069]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2005-2069
--------------------------------------------------------------------------
Revision History
29 Aug 2005 Initial release
--------------------------------------------------------------------------
Copyright(C) 2005 Turbolinux, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDEptgK0LzjOqIJMwRAgvtAKCYuQHofYL1XHGglGTr4HSaPw0+QwCfXva3
dyYrJo0Cw+B72fI8csTAgeg=
=AODL
-----END PGP SIGNATURE-----