About Ubuntu

=========================================================== Ubuntu Security Notice USN-152-1 July 21, 2005 openldap2, libpam-ldap, libnss-ldap vulnerabilities CAN-2005-2069 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: libnss-ldap libpam-ldap slapd On Ubuntu 4.10, the problem can be corrected by upgrading the affected packages to version 2.1.30-2ubuntu4.1 (slapd), 164-2ubuntu0.1 (libpam-ldap), and 220-1ubuntu0.1 (libnss-ldap). On Ubuntu 5.04, the problem can be corrected by upgrading the affected packages to version 2.1.30-3ubuntu3.1 (slapd), 169-1ubuntu0.1 (libpam-ldap), and 220-1ubuntu0.1 (libnss-ldap). In general, a standard system upgrade is sufficient to effect the necessary changes. (Please note that libnss-ldap and libpam-ldap are not officially supported by Ubuntu, they are in the "universe" suite of the archive.) Details follow: Andrea Barisani discovered a flaw in the SSL handling of pam-ldap and libnss-ldap. When a client connected to a slave LDAP server using SSL, the slave server did not use SSL as well when contacting the LDAP master server. This caused passwords and other confident information to be transmitted unencrypted between the slave and the master.