Bug 120578 (CVE-2005-2963)

Summary: VUL-0: CVE-2005-2963: apache_contrib: mod_auth_shadow bypass
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Peter Poeml <poeml>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-2963: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-10-06 07:52:46 UTC 
Hi Peer,
here we go...



- --------------------------------------------------------------------------
Debian Security Advisory DSA 844-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 5th, 2005                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mod-auth-shadow
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID         : CAN-2005-2963
Debian Bug     : 323789

A vulnerability in mod_auth_shadow, an Apache module that lets users
perform HTTP authentication against /etc/shadow, has been discovered.
The module runs for all locations that use the 'require group'
directive which would bypass access restrictions controlled by another
authorisation mechanism, such as AuthGroupFile file, if the username
is listed in the password file and in the gshadow file in the proper
group and the supplied password matches against the one in the shadow
file.

This update requires an explicit "AuthShadow on" statement if website
authentication should be checked against /etc/shadow.

For the old stable distribution (woody) this problem has been fixed in
version 1.3-3.1woody.2.

For the stable distribution (sarge) this problem has been fixed in
version 1.4-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 1.4-2.

We recommend that you upgrade your libapache-mod-auth-shadow package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

   
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.2.dsc
      Size/MD5 checksum:      628 78a6276d158c96247f87c2a82ad337c9
   
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.2.diff.gz
      Size/MD5 checksum:     5818 e57059b3d026f4490e83ef48e7c64551
   
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3.orig.tar.gz
      Size/MD5 checksum:     7476 3ad4432193ac603049ad0f2fa94f2054

etc.
Comment 1 Peter Poeml 2005-10-06 10:44:44 UTC 
We have that module in the apache-contrib package on 9.0 (only).
Comment 2 Marcus Meissner 2005-10-17 19:37:28 UTC 
its perhaps to minor to fix, or?
Comment 3 Peter Poeml 2005-10-18 14:39:50 UTC 
I agree.
Comment 4 Thomas Biege 2009-10-13 21:39:35 UTC 
CVE-2005-2963: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)