Debians sikkerhedsbulletin

DSA-421-1 mod-auth-shadow -- adgangskodeudløb

Rapporteret den:
12. jan 2004
Berørte pakker:
mod-auth-shadow
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 9404.
I Mitres CVE-ordbog: CVE-2004-0041.
Yderligere oplysninger:

David B Harris har opdaget et problem med mod-auth-shadow, et Apache-modul som autenfiticerer brugere mod systemets "shadow password"-database, hvor udløbsstatussen på brugerens konto og adgangskode ikke blev håndhævet. Sårbarheden gjorde det muligt for en på anden vis autoriseret bruger, med held at blive autoriseret selvom dette skulle have været afvist på grund af udløbsparametrene.

I den nuværende stabile distribution (woody) er dette problem rettet i version 1.3-3.1woody.1

I den ustabile distribution (sid) er dette problem rettet i version 1.4-1.

Vi anbefaler at du opdaterer din mod-auth-shadow-pakke.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.1.dsc
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.1.diff.gz
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.