Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 09 Mar 2011 22:57:14 +0100
From: Arthur de Jong <>
To: nss-pam-ldapd-announce <>
Subject: nss-pam-ldapd security advisory (CVE-2011-0438)

Russell Sim discovered a serious security vulnerability in development
release 0.8.0 of nss-pam-ldapd that allows authentication with an
incorrect password for local user accounts.

The PAM module will erroneously return a success code when the user
cannot be found in LDAP. Exploitability depends on the details of the
PAM configuration but on systems that don't use the minimum_uid PAM
option it may be possible to log in to any local account, including

This problem only affects the 0.8.0 development release of
nss-pam-ldapd. Earlier releases are not affected.

This problem has been assigned CVE-2011-0438.

More details are available at:

Affected users are advised to apply the attached patch, upgrade to 0.8.1
(which will be released shortly), downgrade to 0.7.13 or disable
nss-pam-ldapd's PAM module.

-- arthur - - --

View attachment "nss-pam-ldapd-0.8.0-authentication-bypass-fix.patch" of type "text/x-patch" (424 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.