(Debian Issues Fix) mod_auth_shadow Apache Module Authenticates Expired Passwords
|
|
SecurityTracker Alert ID: 1008677 |
|
SecurityTracker URL: http://securitytracker.com/id/1008677
|
|
CVE Reference:
CVE-2004-0041
(Links to External Site)
|
Date: Jan 12 2004
|
Impact:
Host/resource access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 1.4
|
Description:
A vulnerability was reported in the mod_auth_shadow Apache module. A remote user with previously valid authentication credentials but with an expired password can successfully authenticate.
It is reported that the software does not enforce a user's password expiration status. A remote authenticated user with a previously valid password may be able to authenticate successfully even though the password has expired.
Debian reported that David B Harris discovered this flaw.
|
Impact:
A remote user can authenticate with a correct but expired password.
|
Solution:
Debian has released a fix for the current stable distribution (woody) in version 1.3-3.1woody.1 and for the unstable distribution (sid) in version 1.4-1.
Debian GNU/Linux 3.0 alias woody:
Source archives:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.1.dsc
Size/MD5 checksum: 628 0631b85270f5e589909ce3618976bffe
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.1.diff.gz
Size/MD5 checksum: 5453 b5f344fb69005ca149bacf286844832f
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3.orig.tar.gz
Size/MD5 checksum: 7476 3ad4432193ac603049ad0f2fa94f2054
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_alpha.deb
Size/MD5 checksum: 11970 d73f8c7bbc56f603aff27c9e0839c685
ARM architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_arm.deb
Size/MD5 checksum: 11064 a016baa2812a950e0daed4930e06064a
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_i386.deb
Size/MD5 checksum: 11116 37050a0429d599a878f52a78f64c53a1
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_ia64.deb
Size/MD5 checksum: 13230 12e15d476e2923212066955329572fc8
HP Precision architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_hppa.deb
Size/MD5 checksum: 11810 dc63de9f64595d784f76b7ba4a42f19b
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_m68k.deb
Size/MD5 checksum: 11078 f2e0f2c0a0fac24061d9043749c1d4da
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_mips.deb
Size/MD5 checksum: 11230 2ddbceff8f93ad432e090b634244c4f5
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_mipsel.deb
Size/MD5 checksum: 11232 55320be2e6212242eb00310716ae346a
PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_powerpc.deb
Size/MD5 checksum: 11122 2ee5de78bdd4112d53be7416185fcc64
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_s390.deb
Size/MD5 checksum: 11262 1d3b72a731147bb7b59255844036f024
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_sparc.deb
Size/MD5 checksum: 14240 cbe2bc47536b40fa46c8eb400a8b7db1
|
Vendor URL: sourceforge.net/projects/mod-auth-shadow (Links to External Site)
|
Cause:
Authentication error, State error
|
Underlying OS:
Linux (Debian)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 12 Jan 2004 10:38:47 -0800
Subject: [SECURITY] [DSA 421-1] New mod-auth-shadow packages fix password expiration checking
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 421-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
January 12th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : mod-auth-shadow
Vulnerability : password expiration
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2004-0041
David B Harris discovered a problem with mod-auth-shadow, an Apache
module which authenticates users against the system shadow password
database, where the expiration status of the user's account and
password were not enforced. This vulnerability would allow an
otherwise authorized user to successfully authenticate, when the
attempt should be rejected due to the expiration parameters.
For the current stable distribution (woody) this problem has been
fixed in version 1.3-3.1woody.1
For the unstable distribution (sid) this problem has been fixed in
version 1.4-1.
We recommend that you update your mod-auth-shadow package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.1.dsc
Size/MD5 checksum: 628 0631b85270f5e589909ce3618976bffe
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.1.diff.gz
Size/MD5 checksum: 5453 b5f344fb69005ca149bacf286844832f
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3.orig.tar.gz
Size/MD5 checksum: 7476 3ad4432193ac603049ad0f2fa94f2054
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_alpha.deb
Size/MD5 checksum: 11970 d73f8c7bbc56f603aff27c9e0839c685
ARM architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_arm.deb
Size/MD5 checksum: 11064 a016baa2812a950e0daed4930e06064a
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_i386.deb
Size/MD5 checksum: 11116 37050a0429d599a878f52a78f64c53a1
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_ia64.deb
Size/MD5 checksum: 13230 12e15d476e2923212066955329572fc8
HP Precision architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_hppa.deb
Size/MD5 checksum: 11810 dc63de9f64595d784f76b7ba4a42f19b
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_m68k.deb
Size/MD5 checksum: 11078 f2e0f2c0a0fac24061d9043749c1d4da
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_mips.deb
Size/MD5 checksum: 11230 2ddbceff8f93ad432e090b634244c4f5
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_mipsel.deb
Size/MD5 checksum: 11232 55320be2e6212242eb00310716ae346a
PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_powerpc.deb
Size/MD5 checksum: 11122 2ee5de78bdd4112d53be7416185fcc64
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_s390.deb
Size/MD5 checksum: 11262 1d3b72a731147bb7b59255844036f024
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.1_sparc.deb
Size/MD5 checksum: 14240 cbe2bc47536b40fa46c8eb400a8b7db1
These files will probably be moved into the stable distribution on
its next revision.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAAumLArxCt0PiXR4RAo1aAJ9lvriQdj5Ee9DpuSTerYfh59+ajACcDD0M
1vNgpa8eOz3O3gicRLdQdt8=
=yOKH
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
