96311 – VUL-0: CVE-2005-2069: pam_ldap and nss_ldap not using tls for referred connections to OpenLDAP

Bug 96311 - VUL-0: CVE-2005-2069: pam_ldap and nss_ldap not using tls for referred connections to OpenLDAP

Summary: VUL-0: CVE-2005-2069: pam_ldap and nss_ldap not using tls for referred connec...

Status:	VERIFIED DUPLICATE of bug 94355

Alias:	None

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All SLES 9

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2005-2069: CVSS v2 Base Score: 5....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-07-13 11:57 UTC by Dennis Conrad
Modified:	2021-11-10 14:49 UTC (History)
CC List:	0 users

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dennis Conrad 2005-07-13 11:57:19 UTC

(Stolen from http://bugs.gentoo.org/show_bug.cgi?id=96767 ):

pam_ldap will send credentials in plaintext if a slave ldap server refers it to
a master server during a password change operation. The ldap.conf "ssl
start_tls" setting is not enforced on referrals (and openldap doesn't currently
allow it due to a bug).

More references:

http://secunia.com/advisories/15906/

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069

Comment 1 Marcus Meissner 2005-07-13 11:59:15 UTC


*** This bug has been marked as a duplicate of 94355 ***

Comment 2 Thomas Biege 2009-10-13 21:32:53 UTC

CVE-2005-2069: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)