Debian PADL nss_ldap '/etc/nss_ldapd.conf'本地信息泄露漏洞

漏洞介绍

nss_ldap是一个开放源码的命名服务(NSS)的模块，作为根据的AIX，Linux操作系统，Solaris和其他操作系统的本地命名服务的目录服务器( LDAP是轻量目录服务协议)。

nss-ldapd 0.6.8之前版本为/etc/nss-ldapd.conf文件使用可普遍读取的许可，这使得本地用户可以通过读取bindpw字段，获得为LDAP服务器设置的一个明文密码。

目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接：

Debian Linux 5.0 ia-64

Debian libnss-ldapd_0.6.7.1_ia64.deb

http://security.debian.org/pool/updates/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_ia64.deb

Debian Linux 5.0 alpha

Debian libnss-ldapd_0.6.7.1_alpha.deb

http://security.debian.org/pool/updates/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_alpha.deb

Debian Linux 5.0 ia-32

Debian libnss-ldapd_0.6.7.1_i386.deb

http://security.debian.org/pool/updates/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_i386.deb

Debian Linux 5.0 s/390

Debian libnss-ldapd_0.6.7.1_s390.deb

http://security.debian.org/pool/updates/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_s390.deb

Debian Linux 5.0 mipsel

Debian libnss-ldapd_0.6.7.1_mipsel.deb

http://security.debian.org/pool/updates/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_mipsel.deb

Debian Linux 5.0 hppa

Debian libnss-ldapd_0.6.7.1_hppa.deb

http://security.debian.org/pool/updates/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_hppa.deb

Debian Linux 5.0 arm

Debian libnss-ldapd_0.6.7.1_arm.deb

http://security.debian.org/pool/updates/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_arm.deb>

Debian Linux 5.0 armel

Debian libnss-ldapd_0.6.7.1_armel.deb

http://security.debian.org/pool/updates/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_armel.deb

Debian Linux 5.0 amd64

Debian libnss-ldapd_0.6.7.1_amd64.deb

http://security.debian.org/pool/updates/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_amd64.deb

Debian Linux 5.0 mips

Debian libnss-ldapd_0.6.7.1_mips.deb

http://security.debian.org/pool/updates/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_mips.deb

Debian Linux 5.0 powerpc

Debian libnss-ldapd_0.6.7.1_powerpc.deb

http://security.debian.org/pool/updates/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_powerpc.deb

Debian Linux 5.0 sparc

Debian libnss-ldapd_0.6.7.1_sparc.deb

http://security.debian.org/pool/updates/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_sparc.deb

来源: DEBIAN

名称: DSA-1758

链接：http://www.debian.org/security/2009/dsa-1758
来源: bugs.debian.org

链接：http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520476
来源: BID

名称: 34211

链接：http://www.securityfocus.com/bid/34211
来源: MLIST

名称: [oss-security] 20090324 Re: CVE request -- ucd-snmp / net-snmp, libnss-ldapd / nss_ldap

链接：http://www.openwall.com/lists/oss-security/2009/03/25/4
来源: MLIST

名称: [oss-security] 20090324 Re: CVE request -- ucd-snmp / net-snmp, libnss-ldapd / nss_ldap

链接：http://www.openwall.com/lists/oss-security/2009/03/25/3
来源: MLIST

名称: [oss-security] 20090324 Re: CVE request -- ucd-snmp / net-snmp, libnss-ldapd / nss_ldap

链接：http://www.openwall.com/lists/oss-security/2009/03/24/2
来源: MLIST

名称: [oss-security] 20090323 CVE request -- ucd-snmp / net-snmp, libnss-ldapd / nss_ldap

链接：http://www.openwall.com/lists/oss-security/2009/03/23/3
来源: SECUNIA

名称: 34523

链接：http://secunia.com/advisories/34523
来源: MISC

链接：http://launchpad.net/bugs/cve/2009-1073
来源: ch.tudelft.nl

链接：http://ch.tudelft.nl/~arthur/nss-ldapd/news.html#20090322
来源: arthurenhella.demon.nl

链接：http://arthurenhella.demon.nl/viewvc/nss-ldapd/nss-ldapd/man/nss-ldapd.conf.5.xml?r1=805&r2=806