Date: Thu, 7 Jan 2010 23:05:28 +0100 From: Aurelien Jarno <aurelien@...el32.net> To: oss-security@...ts.openwall.com Cc: Christoph Pleger <Christoph.Pleger@...tu-dortmund.de> Subject: CVE id request: GNU libc: NIS shadow password leakage Hi oss-sec, Christoph Pleger has reported through the Debian bug tracker  that non-priviledged users can read NIS shadow password entries simply using getpwnam() when nscd is in use. The issue has already been reported upstream , and a proposed patch is available on . It seems that all GNU libc versions are affected, including derivatives like EGLIBC. Could we please get a CVE id for this issue? Thanks, Aurelien  http://bugs.debian.org/560333  http://sourceware.org/bugzilla/show_bug.cgi?id=11134  http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062&view=markup -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurelien@...el32.net http://www.aurel32.net [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ