Re: [SECURITY] [DSA 952-1] New libapache-auth-ldap packages fix arbitrary code execution
On Mon, 23 Jan 2006 15:06:55 +0100 (CET), DSA 952-1 wrote:
> ---------------------------------------------------------------------------
> Debian Security Advisory DSA 952-1 security@debian.org
> http://www.debian.org/security/ Moritz Muehlenhoff
> January 23rd, 2006 http://www.debian.org/security/faq
> ---------------------------------------------------------------------------
>
> Package : libapache-auth-ldap
[...]
> "Seregorn" discovered a format string vulnerability in the logging
> function of libapache-auth-ldap, an LDAP authentication module for the
> Apache webserver, that can lead to the execution of arbitrary code.
[...]
> For the stable distribution (sarge) this problem has been fixed in
> version 1.6.0-8.1
[...]
> Debian GNU/Linux 3.1 alias sarge
> ---------------------------------
>
> Source archives:
>
> http://security.debian.org/pool/updates/main/liba/libapache-auth-ldap/libapache-auth-ldap_1.6.0-8.1.dsc
> Size/MD5 checksum: 672 823af0881e3fc9ecaaf4ec4de445a2a1
> http://security.debian.org/pool/updates/main/liba/libapache-auth-ldap/libapache-auth-ldap_1.6.0-8.1.diff.gz
> Size/MD5 checksum: 5015 f3d65a99091bb695e9cdeb6f27c28a1b
> http://security.debian.org/pool/updates/main/liba/libapache-auth-ldap/libapache-auth-ldap_1.6.0.orig.tar.gz
> Size/MD5 checksum: 79058 de283639b40e3f359ad6e4a65cad1813
[...]
> Intel IA-32 architecture:
>
> http://security.debian.org/pool/updates/main/liba/libapache-auth-ldap/libapache-auth-ldap_1.6.0-8.1_i386.deb
> Size/MD5 checksum: 69192 ddce8c4e7958dac6dd637f210f3690ea
[snip]
etc., etc.
I assume that libapache-auth-ldap applies only to Apache 1.3.x (it's
hard to tell while packages.d.o is out of action) - the original
Digital Armaments advisory [1] for this problem didn't specify any
particular version of Apache as being relevant.
At any rate, a recently installed Sarge box we have at work is running
Apache 2 with LDAP-based user authentication (against ADS) but doesn't
have libapache-auth-ldap installed.
This is what it has installed :
system42:~# COLUMNS=122 dpkg -l | grep apach
ii apache2-common 2.0.54-5 next generation, scalable,
extendable web server
ii apache2-doc 2.0.54-5 documentation for apache2
ii apache2-mpm-prefork 2.0.54-5 traditional model for Apache2
ii apache2-utils 2.0.54-5 utility programs for webservers
... and here's the LDAP-related section of apache.conf :
system42:~# grep -i ldap /etc/apache2/sites-available/secure
AuthLDAPEnabled on
AuthLDAPAuthoritative on
AuthLDAPUrl
ldap://my.work.com:3268/DC=my,DC=work,DC=com?SAMAccountName?sub?(objectClass=user)
AuthLDAPBindDN lookupuser@emea.my.work.com
AuthLDAPBindPassword deeplySecret
>From this I infer that mod_auth_ldap for Debian-packaged Apache 2 must
be included with the main Debian Apache packages, and that no
libapache(2)-auth-ldap package is required - and that I therefore need
fixed Apache 2 packages. Is this so ?
If so, are fixed packages upcoming ?
Or is Debian Apache 2 unaffected by this security problem ?
Grateful for any clarification.
[1] http://www.security-express.com/archives/bugtraq/2006-01/0121.html
Thanks,
Nick Boyce
Bristol, UK
--
"Never eat more than you can lift." -- Miss Piggy
Reply to: