Steve Rigler

Name of the Vulnerable Software and Affected Versions: nss ldap versions prior to the fixed version libpam-ldap (affected versions not specified) Red Hat Enterprise Linux 4 Fedora Core 3 and earlier Description: The issue concerns multiple vulnerabilities in the libpam-ldap package of the Debian GNU/Linux operating system, which can lead to breaches of confidentiality, integrity, and availability of protected information. Exploitation can be carried out remotely. Specifically, in nss ldap, when an LDAP directory server responds with a PasswordPolicyResponse control response, the pam authenticate function returns a success code even if authentication has failed. Recommendations: For nss ldap on Red Hat Enterprise Linux 4 and Fedora Core 3 and earlier, update to a version that correctly handles the PasswordPolicyResponse control response from the LDAP directory server. For libpam-ldap, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `pam authenticate` function until a patch is available.