[266] in linux-security and linux-alert archive
SECURITY: problem with yppasswdd
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Fri Jun 23 12:07:36 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-alert@tarsier.cv.nrao.edu
Date: Thu, 22 Jun 1995 17:09:30 +0200 (MET DST)
Cc: linux-security@tarsier.cv.nrao.edu
Reply-To: linux-security@tarsier.cv.nrao.edu
-----BEGIN PGP SIGNED MESSAGE-----
I just received a user report about a hole in my implementation
of yppasswdd. Under certain circumstances, this hole lets users with a
valid account on your machine gain access to other accounts.
This bug affects all versions up to and including ypasswdd-0.6.
Note that this vulnerability affects _only_ machines who use
a) The NIS password maps
b) Manage those password maps with rpc.yppasswdd.
To plug this hole, you should obtain and install the latest
version. I have uploaded yppasswd-0.7 to the following places:
ftp.lysator.liu.se:/pub/NYS/incoming (to be moved)
ftp.mathematik.th-darmstadt.de:/pub/linux/okir
linux.nrao.edu:/pub/people/okir
The MD5 signature is:
d22e0061f80f9c28d4b12eeff42e79be yppasswd-0.7.tar.gz
Many thanks to adam@math.tau.ac.il for reporting this bug, and
apologies to everyone for this stupid oversight
Olaf
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBL+mHSuFnVHXv40etAQEuoAP8C4xxqMugpQItaHXOMpGxj3SHnQcj9uZw
eWFnguYZtXUTaDO/qmDR7I3lMmyhmIuRJ/yS+eC9afaMsyIzf9o+PoQ/7kdbjbEK
B3kRx5cQVHcheLI1gi1YRdbJySTYAM6JtvMwIZEyRY0W5LT3swcIJhejfoXwsui0
+wjsq5DkK9o=
=Fbqa
-----END PGP SIGNATURE-----
