From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) Description of problem: 05.27.8 CVE: CAN-2005-2069 Platform: Linux Title: PADL Software PAM_LDAP TLS Plaintext Password Description: PAM_LDAP is the PAM module package designed to allow authentication with LDAP servers via PAM-compliant authentication mechanisms. It is reported to be vulnerable to a potential password disclosure issue when used with TLS. The issue presents itself when LDAP client connects to the master which was redirected by LDAP slave, by using the same credentials but without TLS. Ref: http://www.securityfocus.com/bid/14126 Version-Release number of selected component (if applicable): How reproducible: Didn't try Additional info:
05.34.7 CVE: CAN-2005-2641 Platform: Unix Title: PADL Software PAM_LDAP Authentication Bypass Description: PAM_LDAP is the PAM module package designed to allow authentication with LDAP servers via PAM-compliant authentication mechanisms. PAM_LDAP is prone to an authentication bypass vulnerability. When handling new password policy control, if the LDAP server returns a passwordPolicyResponse control in a BindResponse without the optional "error" field, PAM_LDAP will not fall through to the account management module. Successful exploitation could allow an unauthorized user to bypass authentication. Ref: http://www.securityfocus.com/bid/14649
Fedora Legacy project has ended. These will not be fixed by Fedora Legacy.