Fedora Legacy Test Update Notification: auth_ldap

Marc Deslauriers marcdeslauriers at videotron.ca
Tue Jan 24 23:31:02 UTC 2006 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-177694
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177694
2006-01-24
---------------------------------------------------------------------

Name        : auth_ldap
Versions    : rh7.3: auth_ldap-1.6.0-4.2.legacy
Summary     : This is an LDAP authentication module for Apache.
Description :
This is an authentication module for Apache that allows you to
authenticate HTTP clients using user entries in an LDAP directory.

---------------------------------------------------------------------
Update Information:

An updated auth_ldap package that fixes a format string security issue
is now available for testing for Red Hat Linux 7.3.

The auth_ldap package is an httpd module that allows user authentication
against information stored in an LDAP database.

A format string flaw was found in the way auth_ldap logs information. It
may be possible for a remote attacker to execute arbitrary code as the
'apache' user if auth_ldap is used for user authentication. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CVE-2006-0150 to this issue.

Note that this issue only affects servers that have auth_ldap installed
and configured to perform user authentication against an LDAP database.

All users of auth_ldap should upgrade to this updated package, which
contains a backported patch to resolve this issue.

This issue does not affect Red Had Linux 9, Fedora Core 1, 2 or 3
distributions as they do not include the auth_ldap package.

---------------------------------------------------------------------
Changelogs

* Wed Jan 18 2006 David Eisenstein <deisenst at gtw.net> 1.6.0-4.2.legacy
- Add BuildRequires: apache, openldap, mm, mm-devel

* Wed Jan 18 2006 David Eisenstein <deisenst at gtw.net> 1.6.0-4.1.legacy
- Add patch (forward-ported from RHEL2.1's patch) for CVE-2006-0150,
  format string vulnerability.  Bugzilla Bug #177694.

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

38f70135bc17c313fecdb81f61e776ac032b796e
redhat/7.3/updates-testing/i386/auth_ldap-1.6.0-4.2.legacy.i386.rpm
78b7ee876d5b900ff5268b1a396a59ca9f2385f0
redhat/7.3/updates-testing/SRPMS/auth_ldap-1.6.0-4.2.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20060124/9d9bf201/attachment.sig>

More information about the fedora-legacy-list mailing list