RHBA-2012:0268 - Bug Fix Advisory

Topic

An enhanced nss_ldap package that fixes various bugs and provides an enhancement
is now available for Red Hat Enterprise Linux 5.

Description

The nss_ldap package contains the nss_ldap and pam_ldap modules. The nss_ldap
module is a name service switch module which allows applications to retrieve
information about users and groups from a directory server. The pam_ldap module
allows a directory server to be used by PAM-aware applications to verify user
passwords.

This updated nss_ldap package includes fixes for the following bugs:

• Previously, nss_ldap did not correctly handle the situation where "unreadable"

files were present in the CA certificate directory. Consequently, nss_ldap
failed when resolving usernames and groups while using TLS even if a valid
readable certificate was available. This update corrects the problem and
nss_ldap now ignores files that are not world readable and uses the readable
certificate files as expected. (BZ#593242)

• In certain cases, nss_ldap failed to get a response from the Lightweight

Directory Access Protocol (LDAP) server and the client became temporarily unable
to query the server. This update applies a patch which improves the code and the
server now responds as expected. (BZ#696707)

• The LDAP server stored its configuration in a fixed-size buffer that could

have been exceeded with large configurations, thus causing nss_ldap to fail.
This was especially likely to occur on 64-bit architectures where pointers to
internal data structures occupy twice as much space in the buffer as on 32-bit
architectures. This caused situations where a certain ldap configuration worked
on 32-bit architecture but not on 64-bit architecture. With this update, the
code has been modified to allow the use of larger ldap configurations without
exceeding the buffer and nss_ldap now works correctly. (BZ#705841)

In addition, this updated nss_ldap package provides the following enhancement:

• Prior to this update, nss_ldap did not select the closest DNS records, but

always selected the first record returned by DNS. This update changes the
behavior to select the records based on the priority and weight fields.
(BZ#741419)

All users of nss_ldap are advised to upgrade to this updated package, which
fixes these bugs and provides this enhancement.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 593242 - nss_ldap does not handle "unreadable" certificate files when resolving usernames and groups and using TLS.
• BZ - 696707 - nss_ldap client does not seem to get a response from ldap server
• BZ - 756783 - nss_ldap segfaults because of memory corruption

CVEs

(none)

References

(none)