Re: [SECURITY] [DSA 2096-1] New zope-ldapuserfolder packages fix authentication bypass
On 24.8.2010, at 23.54, Sebastien Delafond wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - ------------------------------------------------------------------------
> Debian Security Advisory DSA-2096-1 security@debian.org
> http://www.debian.org/security/ Moritz Muehlenhoff
> August 24, 2010 http://www.debian.org/security/faq
> - ------------------------------------------------------------------------
>
> Package : zope-ldapuserfolder
> Vulnerability : missing input validation
> Problem type : remote
> Debian-specific: no
> CVE Id : CVE-2010-2944
> Debian Bug : 593466
>
> Jeremy James discovered that in zope-ldapuserfolder, a Zope extension
> used to authenticate against an LDAP server, the authentication code
> does not verify the password provided for the emergency user. Malicious
> users that manage to get the emergency user login can use this flaw to
> gain administrative access to the Zope instance, by providing an
> arbitrary password.
>
> For the stable distribution (lenny), this problem has been fixed in
> version 2.9-1+lenny1.
>
> The package no longer exists in the upcoming stable distribution
> (squeeze) or the unstable distribution.
>
> We recommend that you upgrade your zope-ldapuserfolder package.
>
> Upgrade instructions
> - --------------------
>
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>
> apt-get update
> will update the internal database
> apt-get upgrade
> will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
>
> Debian GNU/Linux 5.0 alias lenny
> - --------------------------------
>
> Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
>
> Source archives:
>
> http://security.debian.org/pool/updates/main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9.orig.tar.gz
> Size/MD5 checksum: 106677 c380401e4de43c4aa5aad8c7af104ac5
> http://security.debian.org/pool/updates/main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1.dsc
> Size/MD5 checksum: 1122 65bc92834fb17c525b9c5a43589a05e6
> http://security.debian.org/pool/updates/main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1.diff.gz
> Size/MD5 checksum: 2635 fdfc884244f970d77f3da18a638a135c
>
> Architecture independent packages:
>
> http://security.debian.org/pool/updates/main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1_all.deb
> Size/MD5 checksum: 110686 44db774a6142e62e71ac0e0cb9e6fafa
>
>
> These files will probably be moved into the stable distribution on
> its next update.
>
> - ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAkx0MVEACgkQXm3vHE4uylrJcACfb+YXHmXJRVT048+yEtxwLR/f
> +AcAoJSOMNCmGLHCq9gdrR0jjsj60l6R
> =Voz+
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20100824205459.GA3410@galadriel.inutil.org
>
Arsi Hartikainen
arsi.hartikainen@gmail.com
2055921-5
Punkkerikatu 1 B 3
53850 Lappeenranta
puh: 044 0500528
Reply to: