Bug 1617681 (CVE-2005-2069)
Summary: | CVE-2005-2069 security flaw | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Stephen Herr <sherr> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ggasparb, jpazdziora, pmatouse |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-08-16 04:22:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stephen Herr
2018-08-16 04:22:38 UTC
MITRE description: pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password. Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. Red Hat Enterprise Linux 8 is not vulnerable to this issue. Hello, while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE-2005-2069. The CVE page https://access.redhat.com/security/cve/CVE-2005-2069 does not list RHEL 8. Therefore, it is not clear if the patch mentioned there for RHEL 5 is still present in the RHEL 8 package. Could the CVE page be updated with Red Hat's official statement about this CVE in RHEL 8? Thank you, Jan (In reply to Jan Pazdziora from comment #3) > Could the CVE page be updated with Red Hat's official statement about this > CVE in RHEL 8? added statement |