GLSA 200507-13
1. Gentoo Linux Security Advisory Version Information Advisory Reference GLSA 200507-13 / pam_ldap nss_ldap Release Date July 14, 2005 Latest Revision July 14, 2005: 01 Impact normal Exploitable remote Package Vulnerable versions Unaffected versions Architecture(s) sys-auth/nss_ldap < 239-r1 >= 239-r1, 226-r1 All supported architectures sys-auth/pam_ldap < 178-r1 >= 178-r1 All supported architectures Related bugreports: #96767 Synopsis pam_ldap and nss_ldap fail to restart TLS when following a referral, possibly leading to credentials being sent in plain text. 2. Impact Information Background pam_ldap is a Pluggable Authentication Module which allows authentication against an LDAP directory. nss_ldap is a Name Service Switch module which allows 'passwd', 'group' and 'host' database information to be pulled from LDAP. TLS is Transport Layer Security, a protocol that allows encryption of network communications. Description Rob Holland of the Gentoo Security Audit Team discovered that pam_ldap and nss_ldap fail to use TLS for referred connections if they are referred to a master after connecting to a slave, regardless of the "ssl start_tls" ldap.conf setting. Impact An attacker could sniff passwords or other sensitive information as the communication is not encrypted. 3. Resolution Information Workaround pam_ldap and nss_ldap can be set to force the use of SSL instead of TLS. Resolution All pam_ldap users should upgrade to the latest version: Code Listing 3.1 # emerge ——sync # emerge ——ask ——oneshot ——verbose ">=sys-auth/pam_ldap-178-r1" All nss_ldap users should upgrade to the latest version: Code Listing 3.2 # emerge ——sync # emerge ——ask ——oneshot ——verbose sys-auth/nss_ldap 4. References CAN-2005-2069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069 http://www.gentoo.org/security/en/glsa/glsa-200507-13.xml