Yellow Dog Linux Security Announcement
--------------------------------------

Package:	nss_ldap
Issue Date: 	October 20, 2002	
Priority:	medium	
Advisory ID: 	YDU-20021020-6


1. 	Topic:

	Updated nss_ldap packages are available.


2. 	Problem:

	"nss_ldap is a set of C library extensions that allow X.500 and LDAP
	directory servers to be used as a primary source of aliases, ethers,
	groups, hosts, networks, protocols, users, RPCs, services, and shadow
	passwords (instead of or in addition to using flat files or NIS).

	When versions of nss_ldap prior to nss_ldap-198 are configured without a
	value for the "host" setting, nss_ldap will attempt to configure itself by
	using SRV records stored in DNS. When parsing the results of the DNS
	query, nss_ldap does not check that the data returned by the server will
	fit into an internal buffer, leaving it vulnerable to a buffer overflow.
	The Common Vulnerabilities and Exposures project (cve.mitre.org) has
	assigned the name CAN-2002-0825 to this issue.

	When versions of nss_ldap prior to nss_ldap-199 are configured without a
	value for the "host" setting, nss_ldap will attempt to configure itself by
	using SRV records stored in DNS. When parsing the results of the DNS
	query, nss_ldap does not check that the data returned has not been
	truncated by the resolver libraries to avoid a buffer overflow, and may
	attempt to parse more data than is actually available, leaving it
	vulnerable to a read buffer overflow.

	Versions of pam_ldap prior to version 144 include a format string bug in
	the logging function. The packages included in this erratum update pam_ldap
	to version 144, fixing this bug. The Common Vulnerabilities and Exposures
	project (cve.mitre.org) has assigned the name CAN-2002-0374 to this issue.

	All users of nss_ldap should update to these errata packages which are not
	vulnerable to the above issues. The errata packages are based on
	nss_ldap-189 with the addition of a backported security patch and pam_ldap
	version 144.

	Thanks to the nss_ldap and pam_ldap team at padl.com for providing
	information about these issues."
	(from Red Had advisory)


3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install nss_ldap

   	b) Updating manually...
	Download the updates below and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]
		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
			ppc/nss_ldap-189-4.2.3a.ppc.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
05c21ae5f695870b88b13ad2ac3618ea  ppc/nss_ldap-189-4.2.3a.ppc.rpm
18e0f45e32db85ab6460e645c9c89b3a  SRPMS/nss_ldap-189-4.2.3a.src.rpm

I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml