Bug 578168 (CVE-2010-1151)

Summary: CVE-2010-1151 mod_auth_shadow: bad wait(2) call causes randomized authorization behaviour
Product: [Other] Security Response Reporter: John Sullivan <jsrhbz>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, jlieskov, jreznik, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,source=researcher,reported=20100330,public=20100409,cvss2=6.4/AV:N/AC:L/Au:N/C:P/I:P/A:N
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 06:57:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 580901    
Bug Blocks:    

Comment 1 Jan Lieskovsky 2010-04-08 11:47:32 UTC
This is CVE-2010-1151.

Comment 2 Jan Lieskovsky 2010-04-08 13:10:48 UTC
A race condition was found in the way mod_auth_shadow
used an external helper binary to validate user credentials
(username / password pairs). A remote attacker could use this flaw
to bypass intended access restrictions, resulting in ability
to view and potentially alter resources, which should be otherwise
protected by authentication.

Acknowledgements:

Red Hat would like to thank John Sullivan for responsibly
reporting this flaw.

Comment 5 Fedora Update System 2010-04-09 13:24:50 UTC
mod_auth_shadow-2.2-8.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/mod_auth_shadow-2.2-8.fc13

Comment 6 Fedora Update System 2010-04-09 13:25:18 UTC
mod_auth_shadow-2.2-8.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/mod_auth_shadow-2.2-8.fc12

Comment 7 Fedora Update System 2010-04-09 13:26:28 UTC
mod_auth_shadow-2.2-8.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/mod_auth_shadow-2.2-8.fc11

Comment 8 Fedora Update System 2010-04-09 14:09:59 UTC
mod_auth_shadow-2.2-4.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/mod_auth_shadow-2.2-4.el4

Comment 9 Fedora Update System 2010-04-09 14:11:28 UTC
mod_auth_shadow-2.2-5.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/mod_auth_shadow-2.2-5.el5

Comment 10 Fedora Update System 2010-05-13 19:25:45 UTC
mod_auth_shadow-2.2-8.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2010-05-13 19:28:05 UTC
mod_auth_shadow-2.2-8.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2010-05-14 01:07:30 UTC
mod_auth_shadow-2.2-4.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2010-05-14 01:07:58 UTC
mod_auth_shadow-2.2-5.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2010-05-28 17:55:31 UTC
mod_auth_shadow-2.2-8.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.