USN-152-1: PAM/NSS LDAP vulnerabilitiy

21 July 2005

openldap2, libpam-ldap, libnss-ldap vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 5.04
  • Ubuntu 4.10

Software Description

Details

Andrea Barisani discovered a flaw in the SSL handling of pam-ldap and libnss-ldap. When a client connected to a slave LDAP server using SSL, the slave server did not use SSL as well when contacting the LDAP master server. This caused passwords and other confident information to be transmitted unencrypted between the slave and the master.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.04
libnss-ldap
libpam-ldap
slapd
Ubuntu 4.10
libnss-ldap
libpam-ldap
slapd

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References