oss-sec mailing list archives
CVE id request: GNU libc: NIS shadow password leakage
From: Aurelien Jarno <aurelien () aurel32 net>
Date: Thu, 7 Jan 2010 23:05:28 +0100
Hi oss-sec, Christoph Pleger has reported through the Debian bug tracker [1] that non-priviledged users can read NIS shadow password entries simply using getpwnam() when nscd is in use. The issue has already been reported upstream [2], and a proposed patch is available on [3]. It seems that all GNU libc versions are affected, including derivatives like EGLIBC. Could we please get a CVE id for this issue? Thanks, Aurelien [1] http://bugs.debian.org/560333 [2] http://sourceware.org/bugzilla/show_bug.cgi?id=11134 [3] http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062&view=markup -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurelien () aurel32 net http://www.aurel32.net
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE id request: GNU libc: NIS shadow password leakage Aurelien Jarno (Jan 07)
- Re: CVE id request: GNU libc: NIS shadow password leakage Josh Bressers (Jan 08)
- Re: CVE id request: GNU libc: NIS shadow password leakage Christoph Pleger (Jan 08)
- Re: CVE id request: GNU libc: NIS shadow password leakage Tomas Hoger (Jan 11)
- Re: CVE id request: GNU libc: NIS shadow password leakage Christoph Pleger (Jan 11)
- Re: CVE id request: GNU libc: NIS shadow password leakage Josh Bressers (Jan 11)
- Re: CVE id request: GNU libc: NIS shadow password leakage Christoph Pleger (Jan 08)
- Re: CVE id request: GNU libc: NIS shadow password leakage Josh Bressers (Jan 08)