[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 952-1] New libapache-auth-ldap packages fix arbitrary code execution

On Mon, 23 Jan 2006 15:06:55 +0100 (CET), DSA 952-1 wrote:

> ---------------------------------------------------------------------------
> Debian Security Advisory DSA 952-1                     security@debian.org
> http://www.debian.org/security/                         Moritz Muehlenhoff
> January 23rd, 2006                      http://www.debian.org/security/faq
> ---------------------------------------------------------------------------
> 
> Package        : libapache-auth-ldap
[...]
> "Seregorn" discovered a format string vulnerability in the logging
> function of libapache-auth-ldap, an LDAP authentication module for the
> Apache webserver, that can lead to the execution of arbitrary code.
[...]
> For the stable distribution (sarge) this problem has been fixed in
> version 1.6.0-8.1
[...]
> Debian GNU/Linux 3.1 alias sarge
> ---------------------------------
> 
>   Source archives:
> 
>     http://security.debian.org/pool/updates/main/liba/libapache-auth-ldap/libapache-auth-ldap_1.6.0-8.1.dsc
>       Size/MD5 checksum:      672 823af0881e3fc9ecaaf4ec4de445a2a1
>     http://security.debian.org/pool/updates/main/liba/libapache-auth-ldap/libapache-auth-ldap_1.6.0-8.1.diff.gz
>       Size/MD5 checksum:     5015 f3d65a99091bb695e9cdeb6f27c28a1b
>     http://security.debian.org/pool/updates/main/liba/libapache-auth-ldap/libapache-auth-ldap_1.6.0.orig.tar.gz
>       Size/MD5 checksum:    79058 de283639b40e3f359ad6e4a65cad1813
[...]
>   Intel IA-32 architecture:
> 
>     http://security.debian.org/pool/updates/main/liba/libapache-auth-ldap/libapache-auth-ldap_1.6.0-8.1_i386.deb
>       Size/MD5 checksum:    69192 ddce8c4e7958dac6dd637f210f3690ea
[snip]

etc., etc.

I assume that libapache-auth-ldap applies only to Apache 1.3.x (it's
hard to tell while packages.d.o is out of action) - the original
Digital Armaments advisory [1] for this problem didn't specify any
particular version of Apache as being relevant.

At any rate, a recently installed Sarge box we have at work is running
Apache 2 with LDAP-based user authentication (against ADS) but doesn't
have libapache-auth-ldap installed.


This is what it has installed :

system42:~# COLUMNS=122 dpkg -l | grep apach
ii  apache2-common        2.0.54-5     next generation, scalable,
                                        extendable web server
ii  apache2-doc           2.0.54-5     documentation for apache2
ii  apache2-mpm-prefork   2.0.54-5     traditional model for Apache2
ii  apache2-utils         2.0.54-5     utility programs for webservers


... and here's the LDAP-related section of apache.conf :

system42:~# grep -i ldap /etc/apache2/sites-available/secure
                AuthLDAPEnabled on
                AuthLDAPAuthoritative on
                AuthLDAPUrl
ldap://my.work.com:3268/DC=my,DC=work,DC=com?SAMAccountName?sub?(objectClass=user)
                AuthLDAPBindDN lookupuser@emea.my.work.com
                AuthLDAPBindPassword deeplySecret


>From this I infer that mod_auth_ldap for Debian-packaged Apache 2 must
be included with the main Debian Apache packages, and that no
libapache(2)-auth-ldap package is required - and that I therefore need
fixed Apache 2 packages.  Is this so ?

If so, are fixed packages upcoming ?
Or is Debian Apache 2 unaffected by this security problem ?

Grateful for any clarification.

[1] http://www.security-express.com/archives/bugtraq/2006-01/0121.html

Thanks,
Nick Boyce
Bristol, UK
-- 
"Never eat more than you can lift."   -- Miss Piggy
Reply to: