LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: December 19th, 2014
Linux Advisory Watch: December 12th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Debian: New mod-auth-shadow packages fix authentication bypass Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Debian Updated package.
- --------------------------------------------------------------------------
Debian Security Advisory DSA 844-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 5th, 2005                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mod-auth-shadow
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID         : CAN-2005-2963
Debian Bug     : 323789

A vulnerability in mod_auth_shadow, an Apache module that lets users
perform HTTP authentication against /etc/shadow, has been discovered.
The module runs for all locations that use the 'require group'
directive which would bypass access restrictions controlled by another
authorisation mechanism, such as AuthGroupFile file, if the username
is listed in the password file and in the gshadow file in the proper
group and the supplied password matches against the one in the shadow
file.

This update requires an explicit "AuthShadow on" statement if website
authentication should be checked against /etc/shadow.

For the old stable distribution (woody) this problem has been fixed in
version 1.3-3.1woody.2.

For the stable distribution (sarge) this problem has been fixed in
version 1.4-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 1.4-2.

We recommend that you upgrade your libapache-mod-auth-shadow package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.2.dsc
      Size/MD5 checksum:      628 78a6276d158c96247f87c2a82ad337c9
    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.2.diff.gz
      Size/MD5 checksum:     5818 e57059b3d026f4490e83ef48e7c64551
    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3.orig.tar.gz
      Size/MD5 checksum:     7476 3ad4432193ac603049ad0f2fa94f2054

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_alpha.deb
      Size/MD5 checksum:    12204 4f659abcf88fe710a35c09a24f6294d4

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_arm.deb
      Size/MD5 checksum:    11306 ed1b93be804e3233000e7bc9951ee836

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_i386.deb
      Size/MD5 checksum:    11334 a384bb22d08d3d8ad2ee76803517866f

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_ia64.deb
      Size/MD5 checksum:    13488 63798f86c1cd944d5f635890b1ae7edb

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_hppa.deb
      Size/MD5 checksum:    12048 cea187ef3898639b248c9b6f8b36e7a0

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_m68k.deb
      Size/MD5 checksum:    11302 8887098ee92b1be61470b8a00ac72df9

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_mips.deb
      Size/MD5 checksum:    11466 9846f15f1c98a3cbb01b12d8e8563d93

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_mipsel.deb
      Size/MD5 checksum:    11458 d2ae47a2320ef6a8b45aa2354c9eebe9

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_powerpc.deb
      Size/MD5 checksum:    11372 1ce0c98e16ea699726c0e45b98de5ec6

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_s390.deb
      Size/MD5 checksum:    11516 e92c004036842d0f6f79b0e5d9f64455

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_sparc.deb
      Size/MD5 checksum:    14484 524248ef32be0bffef4dcc147eece09b


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4-1sarge1.dsc
      Size/MD5 checksum:      618 8a413e53ca39d904d95dccd1b0705693
    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4-1sarge1.diff.gz
      Size/MD5 checksum:     5816 4b010699db55a2c3446e71cc4af6e167
    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4.orig.tar.gz
      Size/MD5 checksum:     7982 7da6ea1d72640c334fefab4e078eadd4

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_alpha.deb
      Size/MD5 checksum:    13462 9a035f44ccbfec2ddedeb97ba25de685

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_amd64.deb
      Size/MD5 checksum:    12978 ffdd9eab120efbd6ad58befb069ead8d

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_arm.deb
      Size/MD5 checksum:    12332 20edffd17e6cfed8bf60d50f0cf918da

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_i386.deb
      Size/MD5 checksum:    12426 7e27802cc15e0478e06f00cff72c4133

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_ia64.deb
      Size/MD5 checksum:    14444 b1a34f75958df70ee4566445ceb80a26

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_hppa.deb
      Size/MD5 checksum:    13602 448068ac275fe81e7ba0d997b8bc3566

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_m68k.deb
      Size/MD5 checksum:    12258 ae4ef5bdca2baaeb0067cf908e57ac09

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_mips.deb
      Size/MD5 checksum:    13238 e0a0f68fb3a164bc80607ba974a05f3d

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_mipsel.deb
      Size/MD5 checksum:    13248 24218030e050490cbe0578474ec46403

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_powerpc.deb
      Size/MD5 checksum:    14120 85d7a92000946e11db7ae213960c4927

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_s390.deb
      Size/MD5 checksum:    12964 46951fcacb6c99c779e31c7aa21d8bf3

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_sparc.deb
      Size/MD5 checksum:    12300 e05d59189d387427c9017180631aeba4


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Report: U.S. planning “proportional response” to Sony hack, blamed on North Korea
Heartbleed, Shellshock, Tor and more: The 13 biggest security stories of 2014
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.