<<< Date Index >>>     <<< Thread Index >>>

[SECURITY] [DSA 844-1] New mod-auth-shadow packages fix authentication bypass



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 844-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Martin Schulze
October 5th, 2005                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mod-auth-shadow
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID         : CAN-2005-2963
Debian Bug     : 323789

A vulnerability in mod_auth_shadow, an Apache module that lets users
perform HTTP authentication against /etc/shadow, has been discovered.
The module runs for all locations that use the 'require group'
directive which would bypass access restrictions controlled by another
authorisation mechanism, such as AuthGroupFile file, if the username
is listed in the password file and in the gshadow file in the proper
group and the supplied password matches against the one in the shadow
file.

This update requires an explicit "AuthShadow on" statement if website
authentication should be checked against /etc/shadow.

For the old stable distribution (woody) this problem has been fixed in
version 1.3-3.1woody.2.

For the stable distribution (sarge) this problem has been fixed in
version 1.4-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 1.4-2.

We recommend that you upgrade your libapache-mod-auth-shadow package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.2.dsc
      Size/MD5 checksum:      628 78a6276d158c96247f87c2a82ad337c9
    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.2.diff.gz
      Size/MD5 checksum:     5818 e57059b3d026f4490e83ef48e7c64551
    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3.orig.tar.gz
      Size/MD5 checksum:     7476 3ad4432193ac603049ad0f2fa94f2054

  Alpha architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_alpha.deb
      Size/MD5 checksum:    12204 4f659abcf88fe710a35c09a24f6294d4

  ARM architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_arm.deb
      Size/MD5 checksum:    11306 ed1b93be804e3233000e7bc9951ee836

  Intel IA-32 architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_i386.deb
      Size/MD5 checksum:    11334 a384bb22d08d3d8ad2ee76803517866f

  Intel IA-64 architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_ia64.deb
      Size/MD5 checksum:    13488 63798f86c1cd944d5f635890b1ae7edb

  HP Precision architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_hppa.deb
      Size/MD5 checksum:    12048 cea187ef3898639b248c9b6f8b36e7a0

  Motorola 680x0 architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_m68k.deb
      Size/MD5 checksum:    11302 8887098ee92b1be61470b8a00ac72df9

  Big endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_mips.deb
      Size/MD5 checksum:    11466 9846f15f1c98a3cbb01b12d8e8563d93

  Little endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_mipsel.deb
      Size/MD5 checksum:    11458 d2ae47a2320ef6a8b45aa2354c9eebe9

  PowerPC architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_powerpc.deb
      Size/MD5 checksum:    11372 1ce0c98e16ea699726c0e45b98de5ec6

  IBM S/390 architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_s390.deb
      Size/MD5 checksum:    11516 e92c004036842d0f6f79b0e5d9f64455

  Sun Sparc architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_sparc.deb
      Size/MD5 checksum:    14484 524248ef32be0bffef4dcc147eece09b


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4-1sarge1.dsc
      Size/MD5 checksum:      618 8a413e53ca39d904d95dccd1b0705693
    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4-1sarge1.diff.gz
      Size/MD5 checksum:     5816 4b010699db55a2c3446e71cc4af6e167
    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4.orig.tar.gz
      Size/MD5 checksum:     7982 7da6ea1d72640c334fefab4e078eadd4

  Alpha architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_alpha.deb
      Size/MD5 checksum:    13462 9a035f44ccbfec2ddedeb97ba25de685

  AMD64 architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_amd64.deb
      Size/MD5 checksum:    12978 ffdd9eab120efbd6ad58befb069ead8d

  ARM architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_arm.deb
      Size/MD5 checksum:    12332 20edffd17e6cfed8bf60d50f0cf918da

  Intel IA-32 architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_i386.deb
      Size/MD5 checksum:    12426 7e27802cc15e0478e06f00cff72c4133

  Intel IA-64 architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_ia64.deb
      Size/MD5 checksum:    14444 b1a34f75958df70ee4566445ceb80a26

  HP Precision architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_hppa.deb
      Size/MD5 checksum:    13602 448068ac275fe81e7ba0d997b8bc3566

  Motorola 680x0 architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_m68k.deb
      Size/MD5 checksum:    12258 ae4ef5bdca2baaeb0067cf908e57ac09

  Big endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_mips.deb
      Size/MD5 checksum:    13238 e0a0f68fb3a164bc80607ba974a05f3d

  Little endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_mipsel.deb
      Size/MD5 checksum:    13248 24218030e050490cbe0578474ec46403

  PowerPC architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_powerpc.deb
      Size/MD5 checksum:    14120 85d7a92000946e11db7ae213960c4927

  IBM S/390 architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_s390.deb
      Size/MD5 checksum:    12964 46951fcacb6c99c779e31c7aa21d8bf3

  Sun Sparc architecture:

    
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_sparc.deb
      Size/MD5 checksum:    12300 e05d59189d387427c9017180631aeba4


  These files will probably be moved into the stable distribution on
  its next update.

- 
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDQ5unW5ql+IAeqTIRAs+2AJ9lZmcpDasrDXY+dq195W7gdvJSRgCggXNF
JL5rdx9NuQ2DbdQkwVc1acM=
=kiFO
-----END PGP SIGNATURE-----