---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: OpenLDAP / pam_ldap Password Disclosure Security Issue SECUNIA ADVISORY ID: SA15906 VERIFY ADVISORY: http://secunia.com/advisories/15906/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From local network SOFTWARE: pam_ldap 1.x http://secunia.com/product/2131/ OpenLDAP 2.1.x http://secunia.com/product/1831/ OpenLDAP 2.2.x http://secunia.com/product/5319/ DESCRIPTION: A security issue has been reported in OpenLDAP and pam_ldap, which can be exploit by malicious people to gain knowledge of sensitive information. The security issue is caused due to the client not connecting to the master server using TLS when it is referred by the slave server to the master server for password changes. This allows malicious people to gain knowlege of users' password by sniffing network traffic. The security issue has been reported in OpenLDAP version 2.2.26 and pam_ldap version 1.76. Other versions may also be affected. SOLUTION: Configure LDAP servers to only accept TLS connections. ORIGINAL ADVISORY: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161990 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------