RHBA-2011:1557 - Bug Fix Advisory

Topic

An updated ypserv package that fixes two bugs and adds one enhancement is now
available for Red Hat Enterprise Linux 6.

Description

The ypserv utility provides network information (login names, passwords, home
directories, group information) to all of the machines on a network. It can
enable users to log in on any machine on the network as long as the machine has
the Network Information Service (NIS) client programs running and the user's
password is recorded in the NIS passwd database. NIS was formerly known as Sun
Yellow Pages (YP).

This update fixes the following bugs:

• Uninitialized memory could be accessed when running the "yppasswdd" command

with the "-x" option to pass data to an external program. As a consequence,
redundant characters were prefixed to the request string, which led to incorrect
parsing of the request. This update fixes the memory initialization and the
request can be now parsed successfully. (BZ#699675)

• Prior to this update, the root user could see old passwords of other users.

This was caused by a change request being logged using syslog when running the
"yppaswdd" command with the "-x" option to pass data to an external program.
With this update, the old password hash and the new password hash are cleared in
syslog and the root user can no longer view the old passwords of other users.
(BZ#734494)

In addition, this update adds the following enhancement:

• Prior to this update, users were not able to change their passwords by running

the "yppasswd" command if using the passwd.adjunct file, which prevents
disclosing the encrypted passwords. With this update, users are now able to
change their passwords. (BZ#699667)

All users of ypserv are advised to upgrade to this updated package, which fixes
these bugs and adds this enhancement.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat
Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 699675 - yppasswdd -x has garbage prefixed to username
• BZ - 732724 - Resource leak

CVEs

(none)

References

(none)