SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Directory)  >   Kolab Vendors:   kolab.org
(Mandrake Issues Fix) Kolab Discloses LDAP Server Password to Local Users
SecurityTracker Alert ID:  1010310
SecurityTracker URL:  http://securitytracker.com/id/1010310
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 27 2004
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to kolab-1.0-20040426
Description:   An information disclosure vulnerability was reported in Kolab. A local user may be able to obtain the password for the LDAP server.

Luca Villani reported that a local user can read the '/var/origkolab/etc/openldap/slapd.conf' configuration file to view the 'rootdn' password for the OpenLDAP server. The file is configured with 0644 (world-readable) permissions, the author said.
Impact:   A local user can view the OpenLDAP server password.
Solution:   Mandrake has released a fix.

Mandrakelinux 10.0:
cc7b01619905b25dbbd3ae6c51ed05fd 10.0/RPMS/kolab-server-1.0-0.23.100mdk.i586.rpm
085c3f72bad177369279ce71e47a90c8 10.0/SRPMS/kolab-server-1.0-0.23.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
7e3bce42c30cc11a6bc71ac39296a197 amd64/10.0/RPMS/kolab-server-1.0-0.23.100mdk.amd64.rpm
085c3f72bad177369279ce71e47a90c8 amd64/10.0/SRPMS/kolab-server-1.0-0.23.100mdk.src.rpm
Vendor URL:  www.kolab.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Mandriva/Mandrake)

Message History:   This archive entry is a follow-up to the message listed below.
May 6 2004 Kolab Discloses LDAP Server Password to Local Users


 Source Message Contents
Date:  27 May 2004 00:39:02 -0000
Subject:  [Security Announce] MDKSA-2004:052 - Updated kolab-server package


This is a multi-part message in MIME format...

------------=_1085598808-13954-51

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           kolab-server
 Advisory ID:            MDKSA-2004:052
 Date:                   May 26th, 2004

 Affected versions:	 10.0
 ______________________________________________________________________

 Problem Description:

 Luca Villani reported the disclosure of critical configuration
 information within Kolab, the KDE Groupware server. The affected
 versions store OpenLDAP passwords in plain text. The heart of Kolab
 is an engine written in Perl that rewrites configuration for certain
 applications based on templates. The build() function in the engine 
 left slapd.conf world-readable exhibiting the OpenLDAP root password.
 _______________________________________________________________________

 References:

  http://www.kolab.org/pipermail/kolab-users/2004-April/000215.html
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 cc7b01619905b25dbbd3ae6c51ed05fd  10.0/RPMS/kolab-server-1.0-0.23.100mdk.i586.rpm
 085c3f72bad177369279ce71e47a90c8  10.0/SRPMS/kolab-server-1.0-0.23.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 7e3bce42c30cc11a6bc71ac39296a197  amd64/10.0/RPMS/kolab-server-1.0-0.23.100mdk.amd64.rpm
 085c3f72bad177369279ce71e47a90c8  amd64/10.0/SRPMS/kolab-server-1.0-0.23.100mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAtTimmqjQ0CJFipgRAmJdAKDPuntug8YALl4Lp71fXUGml49o4gCdF0kQ
RfcgQ81mYuP+CELzN/YC2dA=
=lnPX
-----END PGP SIGNATURE-----


------------=_1085598808-13954-51
Content-Type: text/plain; name="message.footer"
Content-Disposition: inline; filename="message.footer"
Content-Transfer-Encoding: 8bit

____________________________________________________
Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________

------------=_1085598808-13954-51--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC