Bug 177694 - CVE-2006-0150 auth_ldap format string issue
CVE-2006-0150 auth_ldap format string issue
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: auth_ldap (Show other bugs)
rhl7.3
i386 Linux
medium Severity urgent
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.digitalarmaments.com/20060...
impact=critical, rh73, LEGACY
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-12 17:12 EST by David Eisenstein
Modified: 2007-04-18 13:36 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-27 19:52:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed Test Update Notification Message (2.41 KB, text/plain)
2006-01-22 03:10 EST, David Eisenstein
no flags Details

  None (edit)
Description David Eisenstein 2006-01-12 17:12:34 EST
On 2006-01-10, Red Hat issued RHSA-2006:0179 for this issue.  The Red Hat
Security Response Team rated this issue as having a critical security impact.

    http://rhn.redhat.com/errata/RHSA-2006-0179.html

This only affects RHL 7.3, as the auth_ldap package is not part of any later
RH or Fedora distros.

References:

   CVE-2006-0150  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0150>
   BID 16177:     <http://www.securityfocus.com/bid/16177>

+++ This bug was initially created as a clone of Bug #177421 +++

auth_ldap format string issue

Improper use of the ap_log_rerror function was discovered in
auth_ldap.  This issue could allow a remote attacker to execute
arbitrary code.

http://www.digitalarmaments.com/2006090173928420.html

<<snip>>
Comment 1 David Eisenstein 2006-01-18 16:04:38 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is a RHL 7.3 package to QA:

	      SHA1SUM				     Package
2fdfb8deb43cefdd62dd9fc88dee08f0ee9df917  auth_ldap-1.6.0-4.2.legacy.src.rpm

at:

http://fedoralegacy.org/contrib/auth_ldap/auth_ldap-1.6.0-4.2.legacy.src.rpm

Changelog:

* Wed Jan 18 2006 David Eisenstein <deisenst at gtw.net> 1.6.0-4.2.legacy
- - Add BuildRequires: apache, openldap, mm, mm-devel

* Wed Jan 18 2006 David Eisenstein <deisenst at gtw.net> 1.6.0-4.1.legacy
- - Add patch (forward-ported from RHEL2.1's patch) for CVE-2006-0150,
  format string vulnerability.	Bugzilla Bug #177694.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDzq31xou1V/j9XZwRAibEAKCWvyTpt6Nxk55mElUWade2LjehMwCeLFn0
h3MuKDGZ4wDfeY7elZf3DpI=
=7+s1
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2006-01-20 05:44:57 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patch matches RHEL21
 
+PUBLISH RHL73
 
2fdfb8deb43cefdd62dd9fc88dee08f0ee9df917  auth_ldap-1.6.0-4.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFD0MAfGHbTkzxSL7QRAjqvAJ9rjsMvKZQZfrQYN2dtNR6FCv7k8gCgoN6d
JXBRud9twIIISUoeQbmqr5U=
=O/Y8
-----END PGP SIGNATURE-----
Comment 3 David Eisenstein 2006-01-20 23:04:27 EST
Thanks, Pekka!  :-)
Comment 4 David Eisenstein 2006-01-22 03:10:07 EST
Created attachment 123539 [details]
Proposed Test Update Notification Message

I have built on jane:
  * auth_ldap-1.6.0-4.2.legacy for RedHat Linux 7.3
   (/var/tmp/mach/redhat-73-i386-updates/auth_ldap-1.6.0-4.2.legacy)

Attached is a proposed Test Update Notification text.  Please let me know if
there is anything wrong with it.  Thanks.
Comment 5 Marc Deslauriers 2006-01-24 18:29:41 EST
Packages were pushed to updates-testing
Comment 6 Pekka Savola 2006-02-14 01:29:08 EST
New policy: automatic accept after two weeks if no negative feedback.
Comment 7 Pekka Savola 2006-02-27 01:41:53 EST
Timeout over.
Comment 8 Marc Deslauriers 2006-02-27 19:52:46 EST
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.