Date: Thu, 7 Jan 2010 23:05:28 +0100 From: Aurelien Jarno <aurelien@...el32.net> To: oss-security@...ts.openwall.com Cc: Christoph Pleger <Christoph.Pleger@...tu-dortmund.de> Subject: CVE id request: GNU libc: NIS shadow password leakage Hi oss-sec, Christoph Pleger has reported through the Debian bug tracker  that non-priviledged users can read NIS shadow password entries simply using getpwnam() when nscd is in use. The issue has already been reported upstream , and a proposed patch is available on . It seems that all GNU libc versions are affected, including derivatives like EGLIBC. Could we please get a CVE id for this issue? Thanks, Aurelien  http://bugs.debian.org/560333  http://sourceware.org/bugzilla/show_bug.cgi?id=11134  http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062&view=markup -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurelien@...el32.net http://www.aurel32.net Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.