Bug#761406: marked as done (slapd: CVE-2014-9713: dangerous access rule in default config)

Sat, 18 Apr 2015 08:21:23 -0700 

Your message dated Sat, 18 Apr 2015 15:19:15 +0000
with message-id <[email protected]>
and subject line Bug#761406: fixed in openldap 2.4.23-7.3+deb6u1
has caused the Debian Bug report #761406,
regarding slapd: CVE-2014-9713: dangerous access rule in default config
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
761406: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: slapd
Version: 2.4.31-1+nmu2
Severity: normal

The configure script sets the following access rules for the LDAP
database:

| olcAccess: to attrs=userPassword,shadowLastChange
|   by self write
|   by anonymous auth
|   by dn="cn=admin,@SUFFIX@" write
|   by * none
| olcAccess: to dn.base="" by * read
| olcAccess: to *
|   by self write
|   by dn="cn=admin,@SUFFIX@" write
|   by * read

When the LDAP is used to authenticate users (e.g. in conjunction with
libnss-ldapd and libpam-ldapd), the rule "olcAccess: to * by self write" allows
the user to change her uidNumber and impersonate another user.

IMO the default config should allow self-write access to userPassword
and shadowLastChange only.  If this is not possible, write access should
at least be limited to attributes which are commonly expected to be
user-writeable, e.g.:

| olcAccess: to attrs=userPassword,shadowLastChange
|   by self write
|   by anonymous auth
|   by dn="cn=admin,@SUFFIX@" write
|   by * none
| olcAccess: to attrs=loginShell,gecos
|   by self write
|   by dn="cn=admin,@SUFFIX@" write
|   by * read
| olcAccess: to dn.base="" by * read
| olcAccess: to *
|   by dn="cn=admin,@SUFFIX@" write
|   by * read

-- System Information:
Debian Release: 7.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd depends on:
ii  adduser                     3.113+nmu3
ii  coreutils                   8.13-3.5
ii  debconf [debconf-2.0]       1.5.49
ii  libc6                       2.13-38+deb7u4
ii  libdb5.1                    5.1.29-5
ii  libgcrypt11                 1.5.0-5+deb7u1
ii  libgnutls26                 2.12.20-8+deb7u2
ii  libldap-2.4-2               2.4.31-1+nmu2
ii  libltdl7                    2.4.2-1.1
ii  libodbc1                    2.2.14p2-5
ii  libperl5.14                 5.14.2-21+deb7u1
ii  libsasl2-2                  2.1.25.dfsg1-6+deb7u1
ii  libslp1                     1.2.1-9
ii  libwrap0                    7.6.q-24
ii  lsb-base                    4.1+Debian8+deb7u1
ii  multiarch-support           2.13-38+deb7u4
ii  perl [libmime-base64-perl]  5.14.2-21+deb7u1
ii  psmisc                      22.19-1+deb7u1

Versions of packages slapd recommends:
ii  libsasl2-modules  2.1.25.dfsg1-6+deb7u1

Versions of packages slapd suggests:
ii  ldap-utils  2.4.31-1+nmu2

-- Configuration Files:
/etc/default/slapd changed [not included]

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Source: openldap
Source-Version: 2.4.23-7.3+deb6u1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryan Tandy <[email protected]> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 17 Apr 2015 18:39:40 -0700
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg 
libldap2-dev slapd-dbg
Architecture: source
Version: 2.4.23-7.3+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian OpenLDAP Maintainers 
<[email protected]>
Changed-By: Ryan Tandy <[email protected]>
Description:
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 663644 729367 761406 776988
Changes:
 openldap (2.4.23-7.3+deb6u1) squeeze-lts; urgency=high
 .
   * debian/slapd.init.ldif: Disallow modifying one's own entry by default,
     except specific attributes. (CVE-2014-9713) (Closes: #761406)
   * debian/slapd.{config,templates}: On upgrade, if an access rule begins with
     "to * by self write", show a debconf note warning that it should be
     changed.
   * debian/slapd.README.debian: Add information about how to remove "to * by
     self write" from existing ACLs.
   * debian/po/*: Add translations of debconf warning.
   * debian/patches/ITS7723-fix-reference-counting.patch: Import upstream patch
     to fix a crash in the rwm overlay when a search is immediately followed by
     an unbind. (ITS#7723) (CVE-2013-4449) (Closes: #729367)
   * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
     patch to fix a crash when a search includes the Deref control with an
     empty attribute list. (ITS#8027) (CVE-2015-1545) (Closes: #776988)
   * debian/patches/ITS7143-fix-attr_dup2-when-attrsOnly.patch: Import upstream
     patch to fix a crash when doing an attrsOnly search of a database
     configured with both the rwm and translucent overlays. (ITS#7143)
     (CVE-2012-1164) (Closes: #663644)
Checksums-Sha1:
 1c6613375b3790e37e03e45ebf31e4bc7264366e 2815 openldap_2.4.23-7.3+deb6u1.dsc
 bfc98011bbd0c141a57475e3834c38bc4f93cffe 158490 
openldap_2.4.23-7.3+deb6u1.diff.gz
Checksums-Sha256:
 33675c439af8d610864a245cb5f1e64503d31702db306c711fd5da99e0151739 2815 
openldap_2.4.23-7.3+deb6u1.dsc
 bb22b677fea356751bf0db75facd99e27ee33fd365b81694a333d2bfceba2ee2 158490 
openldap_2.4.23-7.3+deb6u1.diff.gz
Files:
 162d12730ed2e79a03ad36ba527dfce5 2815 net optional 
openldap_2.4.23-7.3+deb6u1.dsc
 dd93ab71922f8b61ebf20088cf9b8147 158490 net optional 
openldap_2.4.23-7.3+deb6u1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBVTJiLwkauFYGmqocAQrn6w/9HD9K0wcQmVR2F1o2bSfhHtmwexVczipm
WjswT0jPdAxLiZ/QZNJNbqun8Bh6EaHYDJ+6Gs/+Pusok1Ci/pCaFrAHeQq10F7G
8ty1GltHkcz381HcVE9E47hjFvJtGxvDoFcRqOLOgYfFoO2oRsM0x707KKiEljDr
lIhq6YYdwxnYuh5Rl7j45s4HSA0mDMfOBT9u0APozHsYugxJr8P8BCe5B5/CBj8/
l4HKxYPuKHW0AFT8g6eIXttlg6Ar/XztQ+XEsRS8meh5Qses4baokHZlXMvGIBwM
EX3sad5d8gZPPn/YQ5P8qUXJkowujrPVWdKNiEk1DaMlMt3uw+gYz8z/VnRGMaw6
BdZoTgTRjE/FfFC8HLJudCC/700rWMUmDIxozF4ySaK33Ocnws1Q0CeVhhEK2SbH
QvuMjQLkPldaT5wMr0S7UlyE48Jm3RlofFD+SL91HxcCR/3xoj4/ughnREaioHe1
66dhHR99saDEmaGnEs5MUVgM+/achHAZNyiShKOVU7Mcfp5N5PS9EPATwFvLlQTl
uijmtRKO2GoF6+5kCi9PMeVjkQcSx8ZuDZRahx/z/2O5m44i/ay6KHSeJB61iyFw
nVjtGCpHZZq25nj/gzDRjQRtFCm3tH8NyuUMYEC+OpD0RBKbC7xGzOL0pOxvqbQx
VmwZzpVJPuo=
=cvbE
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to