Bugtraq mailing list archives
Security Update: [CSSA-2002-024.0] Volution Manager: Directory Administrator password in cleartext
From: security () caldera com
Date: Mon, 3 Jun 2002 13:58:59 -0700
To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Volution Manager: Directory Administrator password in cleartext Advisory number: CSSA-2002-024.0 Issue date: 2002 June 3 Cross reference: ______________________________________________________________________________ 1. Problem Description Volution Manager stores the unencrypted Directory Administrator's password in the /etc/ldap/slapd.conf file. This vulnerability will be corrected in the next release of Volution Manager. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- Volution Manager 1.1 Standard 3. Solution Volution Manager stores the un-encrypted Directory Administrator's password in the /etc/ldap/slapd.conf file. The password line looks similar to this: rootpw <clear_text_password> Caldera strongly recommends that you encrypt this password, using the following steps: As the root user, run slappasswd, entering your desired password at the prompts (the example uses newpasswd as the new password; the password will not be seen as you type it). # slappasswd New password: newpasswd Re-enter new password: newpasswd {SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz # The output is the new, encrypted password. In the file /etc/ldap/slapd.conf, replace the previous rootpw line with a line containing the new, encrypted password so that the line looks similar to this: rootpw {SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz 4. References Specific references for this advisory: none Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html Caldera UNIX security resources: http://stage.caldera.com/support/security/ This security advisory closes Caldera incidents sr864231, erg501574. 5. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. ______________________________________________________________________________
Attachment:
_bin
Description:
Current thread:
- Security Update: [CSSA-2002-024.0] Volution Manager: Directory Administrator password in cleartext security (Jun 03)