Solution
Please Install the Updated Packages.
Insight
The nss_ldap package contains the nss_ldap and pam_ldap modules. The nss_ldap module is a plug-in which allows applications to retrieve information about users and groups from a directory server. The pam_ldap module allows PAM-aware applications to use a directory server to verify user passwords.
A race condition was discovered in nss_ldap which affected certain applications which make LDAP connections, such as Dovecot. This could cause nss_ldap to answer a request for information about one user with information about a different user. (CVE-2007-5794)
In addition, these updated packages fix the following bugs:
* a build error prevented the nss_ldap module from being able to use DNS to discover the location of a directory server. For example, when the /etc/nsswitch.conf configuration file was configured to use " ldap"
, but no
"
host"
or "
uri"
option was configured in the /etc/ldap.conf configuration file, no directory server was contacted, and no results were returned.
* the "
port"
option in the /etc/ldap.conf configuration file on client machines was ignored. For example, if a directory server which you were attempting to use was listening on a non-default port (i.e. not ports 389 or 636), it was only possible to use that directory server by including the port number in the "
uri"
option. In this updated package, the "
port"
option
works as expected.
* pam_ldap failed to change an expired password if it had to follow a referral to do so, which could occur, for example, when using a slave directory server in a replicated environment. An error such as the following occurred after entering a new password: " LDAP password
information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute"
This has been resolved in this updated package.
* when the "
pam_password exop_send_old"
password-change method was
configured in the /etc/ldap.conf configuration file, a logic error in the pam_ldap module caused client machines to attempt to change a user's password twice. First, the pam_ldap module attempted to change the password using the "
exop"
request, and then again using an LDAP modify request.
* on Red Hat Enterprise Linux 5.1, rebuilding nss_ldap-253-5.el5 when the krb5-*-1.6.1-17.el5 packages were installed failed due to an error such as the following:
+ /builddir/build/SOURCES/dlopen.sh ./nss_ldap-253/nss_ldap.so dlopen() of "
././nss_l ...
Description truncated, for more information please check the Reference URL
Affected
nss_ldap on Red Hat Enterprise Linux (v. 5 server)
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2007-5794 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
Related Vulnerabilities