RSS feed

nss-pam-ldapd security advisory (CVE-2011-0438)

[Date Prev][Date Next] [Thread Prev][Thread Next]

nss-pam-ldapd security advisory (CVE-2011-0438)

Russell Sim discovered a serious security vulnerability in development
release 0.8.0 of nss-pam-ldapd that allows authentication with an
incorrect password for local user accounts.

The PAM module will erroneously return a success code when the user
cannot be found in LDAP. Exploitability depends on the details of the
PAM configuration but on systems that don't use the minimum_uid PAM
option it may be possible to log in to any local account, including

This problem only affects the 0.8.0 development release of
nss-pam-ldapd. Earlier releases are not affected.

This problem has been assigned CVE-2011-0438.

More details are available at:

Affected users are advised to apply the attached patch, upgrade to 0.8.1
(which will be released shortly), downgrade to 0.7.13 or disable
nss-pam-ldapd's PAM module.

-- arthur - - --

Attachment: nss-pam-ldapd-0.8.0-authentication-bypass-fix.patch
Description: Text Data

To unsubscribe send an email to or see