Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 Jan 2010 23:05:28 +0100
From: Aurelien Jarno <aurelien@...el32.net>
To: oss-security@...ts.openwall.com
Cc: Christoph Pleger <Christoph.Pleger@...tu-dortmund.de>
Subject: CVE id request: GNU libc: NIS shadow password leakage

Hi oss-sec,

Christoph Pleger has reported through the Debian bug tracker [1] that
non-priviledged users can read NIS shadow password entries simply
using getpwnam() when nscd is in use.

The issue has already been reported upstream [2], and a proposed patch
is available on [3].

It seems that all GNU libc versions are affected, including derivatives
like EGLIBC.

Could we please get a CVE id for this issue?

Thanks,
Aurelien

[1] http://bugs.debian.org/560333
[2] http://sourceware.org/bugzilla/show_bug.cgi?id=11134
[3] http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062&view=markup

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@...el32.net                 http://www.aurel32.net

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ