Your message dated Fri, 03 Apr 2015 18:17:11 +0000
with message-id <[email protected]>
and subject line Bug#761406: fixed in openldap 2.4.31-2
has caused the Debian Bug report #761406,
regarding slapd: CVE-2014-9713: dangerous access rule in default config
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
761406: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: slapd
Version: 2.4.31-1+nmu2
Severity: normal
The configure script sets the following access rules for the LDAP
database:
| olcAccess: to attrs=userPassword,shadowLastChange
| by self write
| by anonymous auth
| by dn="cn=admin,@SUFFIX@" write
| by * none
| olcAccess: to dn.base="" by * read
| olcAccess: to *
| by self write
| by dn="cn=admin,@SUFFIX@" write
| by * read
When the LDAP is used to authenticate users (e.g. in conjunction with
libnss-ldapd and libpam-ldapd), the rule "olcAccess: to * by self write" allows
the user to change her uidNumber and impersonate another user.
IMO the default config should allow self-write access to userPassword
and shadowLastChange only. If this is not possible, write access should
at least be limited to attributes which are commonly expected to be
user-writeable, e.g.:
| olcAccess: to attrs=userPassword,shadowLastChange
| by self write
| by anonymous auth
| by dn="cn=admin,@SUFFIX@" write
| by * none
| olcAccess: to attrs=loginShell,gecos
| by self write
| by dn="cn=admin,@SUFFIX@" write
| by * read
| olcAccess: to dn.base="" by * read
| olcAccess: to *
| by dn="cn=admin,@SUFFIX@" write
| by * read
-- System Information:
Debian Release: 7.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages slapd depends on:
ii adduser 3.113+nmu3
ii coreutils 8.13-3.5
ii debconf [debconf-2.0] 1.5.49
ii libc6 2.13-38+deb7u4
ii libdb5.1 5.1.29-5
ii libgcrypt11 1.5.0-5+deb7u1
ii libgnutls26 2.12.20-8+deb7u2
ii libldap-2.4-2 2.4.31-1+nmu2
ii libltdl7 2.4.2-1.1
ii libodbc1 2.2.14p2-5
ii libperl5.14 5.14.2-21+deb7u1
ii libsasl2-2 2.1.25.dfsg1-6+deb7u1
ii libslp1 1.2.1-9
ii libwrap0 7.6.q-24
ii lsb-base 4.1+Debian8+deb7u1
ii multiarch-support 2.13-38+deb7u4
ii perl [libmime-base64-perl] 5.14.2-21+deb7u1
ii psmisc 22.19-1+deb7u1
Versions of packages slapd recommends:
ii libsasl2-modules 2.1.25.dfsg1-6+deb7u1
Versions of packages slapd suggests:
ii ldap-utils 2.4.31-1+nmu2
-- Configuration Files:
/etc/default/slapd changed [not included]
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: openldap
Source-Version: 2.4.31-2
We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luca Bruno <[email protected]> (supplier of updated openldap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 30 Mar 2015 10:03:58 +0200
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg
libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.31-2
Distribution: wheezy-security
Urgency: high
Maintainer: Debian OpenLDAP Maintainers
<[email protected]>
Changed-By: Luca Bruno <[email protected]>
Description:
ldap-utils - OpenLDAP utilities
libldap-2.4-2 - OpenLDAP libraries
libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
libldap2-dev - OpenLDAP development libraries
slapd - OpenLDAP server (slapd)
slapd-dbg - Debugging information for the OpenLDAP server (slapd)
slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 729367 761406 776988
Changes:
openldap (2.4.31-2) wheezy-security; urgency=high
.
* Team upload.
.
[ Ryan Tandy ]
* debian/slapd.init.ldif: Disallow modifying one's own entry by default,
except specific attributes. (CVE-2014-9713) (Closes: #761406)
* debian/slapd.{config,templates}: On upgrade, if an access rule begins with
"to * by self write", show a debconf note warning that it should be
changed.
* debian/slapd.README.debian: Add information about how to remove "to * by
self write" from existing ACLs.
* debian/po/*: Add translations of debconf warning.
* debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
patch to fix a crash when a search includes the Deref control with an
empty attribute list. (ITS#8027) (CVE-2015-1545) (Closes: #776988)
* debian/patches/ITS7723-fix-reference-counting.patch: Import upstream patch
to fix a crash in the rwm overlay when a search is immediately followed by
an unbind. (ITS#7723) (CVE-2013-4449) (Closes: #729367)
Checksums-Sha1:
9902f63ca472c59f2d555e9bb0585a5ce8ee5029 2708 openldap_2.4.31-2.dsc
864e7b6ba54cc00ef5b834fd5b5739a7900dd6e3 4720612 openldap_2.4.31.orig.tar.gz
1ac7bc70a573680a9adfbbe01fdb5afdaf52f8fc 168099 openldap_2.4.31-2.diff.gz
d3047baad3b8bf1f793f80e389bd8645fa772e17 1769812 slapd_2.4.31-2_amd64.deb
f4be89ee37704de647c8e301d838ef6ac636e253 78818
slapd-smbk5pwd_2.4.31-2_amd64.deb
d8a5fc72d98b8776cac2171b1289ebc199f37aec 340800 ldap-utils_2.4.31-2_amd64.deb
47eb041c111803ee66f56500cb4ff1eb7b69b985 242712
libldap-2.4-2_2.4.31-2_amd64.deb
a4eaa6e7c3ede4532a9f6b361de24cc415978af4 474562
libldap-2.4-2-dbg_2.4.31-2_amd64.deb
e57cc5d19ff9ee73f439af6598575737a5e8f65f 563556 libldap2-dev_2.4.31-2_amd64.deb
522d7d30d522090d2eedbfc45a975c8dd30fba0d 5522190 slapd-dbg_2.4.31-2_amd64.deb
Checksums-Sha256:
0690c59995d8dc3c105ce4baa7f57e0140a86f5fab899c1b7c0b8d934d4a8c85 2708
openldap_2.4.31-2.dsc
dff60c1044021217ab97a7bdda5a7016015f042db0fbfd566d52abb266d19239 4720612
openldap_2.4.31.orig.tar.gz
8c373d066e8eedd2190b0cca883b29e27883a41b2d9da9cdde1970a53b283a5e 168099
openldap_2.4.31-2.diff.gz
c3d1b5f737e92e8189176a93234a5f54c3e2b3726a91c2abfeaa6e2d5f5a9627 1769812
slapd_2.4.31-2_amd64.deb
e24189be83741f7c4f00ac1e1580cbc40754df6e0ff9f12b4bbe4f1e54f13a3a 78818
slapd-smbk5pwd_2.4.31-2_amd64.deb
93fe6de7a0e584d46f02c61e544a70d4b41c2e2845d89ef523e16468779854c8 340800
ldap-utils_2.4.31-2_amd64.deb
2371d5f91defe83589f018d58b251785598f55eb9ca7049ffcd49b16a3425b73 242712
libldap-2.4-2_2.4.31-2_amd64.deb
6685d3339470379904402f61c2a8af06b776809dc51e5cb952857d38c175aa70 474562
libldap-2.4-2-dbg_2.4.31-2_amd64.deb
8763c1c86b9cd0599581970d7b38e0a49262c7063392da30c02827aec27bd7fe 563556
libldap2-dev_2.4.31-2_amd64.deb
0be8e27341d8453580203a2d4a5553a9972c68bbcf9baf86bbde88e7307dc67d 5522190
slapd-dbg_2.4.31-2_amd64.deb
Files:
feb6c408246cb66012d98560b9f751ad 2708 net optional openldap_2.4.31-2.dsc
a8631b2202d8099143edb57e36b33dea 4720612 net optional
openldap_2.4.31.orig.tar.gz
e53283709fbf76177e1e8d8f615a0edc 168099 net optional openldap_2.4.31-2.diff.gz
b800ab265241a8f6994a8422cf4b665a 1769812 net optional slapd_2.4.31-2_amd64.deb
3df4d86033eb493ee7d1625f294e202d 78818 net extra
slapd-smbk5pwd_2.4.31-2_amd64.deb
8a1304eabd47b629cbc7aa5ffec68654 340800 net optional
ldap-utils_2.4.31-2_amd64.deb
f0b95baa0dce9563c39271714430faaf 242712 libs standard
libldap-2.4-2_2.4.31-2_amd64.deb
bb91c1a098c1d11bc09ac5a2cb87ff61 474562 debug extra
libldap-2.4-2-dbg_2.4.31-2_amd64.deb
76738a9b54f5e4451909af772b7e3420 563556 libdevel extra
libldap2-dev_2.4.31-2_amd64.deb
ce404a2da186b4ba83897e00ef3bc513 5522190 debug extra
slapd-dbg_2.4.31-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIbBAEBAgAGBQJVGSZtAAoJEKmDSiJSB45OsdMP+MqgPcwt/jYbnVMlRt7GKMbY
DZs6f5KT3H9ELeW7G070EJfD5wy4RdL4erzZYwqSVJiNpA/qxTPM27f2NiIcSxtn
pTpk68Jr/1mUdSoDwYAzGHZ4XmYr+k5Bux17adBH3EAhhja9Rjh3MJyv4+2aZl4G
1YpsVBsSdpb2TkirNHx7DnqhbAOqrVQD1tXU907RnMpLgU2w/QWETL9+ciatuPJr
TwZq3qUi3fdu/98/0fE11udB5hUcXZYBK/yeiCFVzvaecuLp5sUFn3cSjlYPtug9
7c3tmwyiQa5bHkaGtlQdQ9aFN3y1eBG31I/EstC78Ebe+8xA2/mb03jNxeoqtDOb
WFE+4UZLafC6Aa9epqRdp6SiVrK7FXszvAKm9TlfjDlaqRgIh4CNt6RVpxxMIzLg
AKbmAYQ3r/g0xzbKz3nymA+Z6/Yw0nbK72/4EUQ+YQRQmxh3HujSrH8o0JovvBrq
6xRFI/Hc5xehtdHK8T+0zIvEa02OrS64W3sqS0Y4LqNEkVJTBr5AD9iCjMoadOdB
yJd8940rQuW9OorWO6X4DEPzbNyoCPUmOJTE5sKa53bxhw33sRGTcWcMnk9T1EHx
sY2+ZVpbiwhZJdJeTz7hRd8qcmuGs2jV7iajbKOf1HkVfp/8v/j7vcyApHKAwC1x
m38iSTevtGc0ijpBmag=
=TkVF
-----END PGP SIGNATURE-----
--- End Message ---
