Skip to navigation

Bug Fix Advisory nss_ldap bug fix update

Advisory: RHBA-2011:0097-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2011-01-13
Last updated on: 2011-01-13
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)

Details

An updated nss_ldap package that fixes multiple bugs is now available for Red
Hat Enterprise Linux 5.

The nss_ldap package contains the nss_ldap and pam_ldap modules. The nss_ldap
module is a plug-in which allows applications to retrieve information about
users and groups from a directory server. The pam_ldap module allows a directory
server to be used by PAM-aware applications to verify user passwords.

This update fixes the following bugs:

* When looking up host names and addresses, the 'gethostbyname_r' function did
not return a proper value for the 'errno_p' parameter when the length of the
name or the address was less than was required. This resulted in the host name
and the address being overlooked and not returned. With this update, the
aforementioned function has been fixed and works as expected. (BZ#468807)

* Under certain conditions, an application which spawned a new child process
would begin exhibiting undefined behavior. This was caused by the 'free()'
function being called in the 'fork()' function which resulted in a race and hung
the application. This update fixes the race issue and the application no longer
hangs. (BZ#474181)

* Prior to this update, some processes would trigger SELinux policy denials when
attempting to use a connection to a directory server which its parent process
had opened. This was caused by a leaked file descriptor. With this update, file
descriptors are no longer leaked, thus, SELinux policy denials are no longer
triggered. (BZ#500397)

* When using pluggable authentication modules (PAM), selected modules can be
loaded and unloaded upon each authentication attempt. However, unloading the
pam_ldap module could cause the memory that is allocated by libraries on which
it depends to be lost. Consequent to this, multiple authentication attempts may
have led to a significant memory loss. To prevent this, the pam_ldap module is
no longer unloaded. (BZ#511238)

* When authenticating users using a directory server which provides a password
aging policy, a user whose password will expire in less than a day would not be
warned of the impending expiration. With this update, a password expiry warning
is shown that reminds the user of the impending password expiration. (BZ#537358)

* When the "/etc/ldap.conf" configuration file contained an incomplete
configuration or a setting with too large a value, a process which attempted to
use nss_ldap could crash. With this update, a crash no longer occurs and an
appropriate error is returned. (BZ#538498)

* Adding a large amount of users (multiple kilobytes of usernames) to the
'nss_initgroups_ignoreusers' option in the "/etc/ldap.conf" configuration file
resulted in an "Assertion failed" error when executing any nss_ldap related
commands. With this update, adding multiple users to the
'nss_initgroups_ignoreusers' option works as expected. (BZ#584157)

* When an LDAP context has been established, obtaining the list of groups a user
belongs to could result in a memory leak. With this update, a patch has been
applied to address this issue, and such memory leaks no longer occur.
(BZ#654650)

* Under certain circumstances, the nss_ldap module may have been unable to
correctly process LDAP entries with a large number of group members. This was
due to an error number being accidentally overwritten before the control was
returned to the caller. When this happened, various utilities failed to produce
expected results. With this update, this error has been fixed, the error number
is no longer overwritten, and affected utilities now work properly. (BZ#661630)

All users of nss_ldap are advised to upgrade to this updated package, which
resolves these issues.


Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
nss_ldap-253-37.el5.src.rpm
File outdated by:  RHBA-2013:0251
    MD5: 1ae37a24f1a7ac3d66896a32b68b25ed
SHA-256: f40827dc5f02807d50837599ec66d752a7c85a87e1a66dc61f53bcf772694b71
 
IA-32:
nss_ldap-253-37.el5.i386.rpm
File outdated by:  RHBA-2013:0251
    MD5: 2b182958101830eae151898c2f114678
SHA-256: 7ac228a4f0bcf0a8ceee4aa994f5bffe20b258a7223fa0abd2255a9ef1db1242
 
IA-64:
nss_ldap-253-37.el5.i386.rpm
File outdated by:  RHBA-2013:0251
    MD5: 2b182958101830eae151898c2f114678
SHA-256: 7ac228a4f0bcf0a8ceee4aa994f5bffe20b258a7223fa0abd2255a9ef1db1242
nss_ldap-253-37.el5.ia64.rpm
File outdated by:  RHBA-2013:0251
    MD5: 592ea3e7a2084ec9dc118f0bdeaa8694
SHA-256: 3de4282b418edb18328f579ac4c55f31ef473cd42cdf0af34ffb5bc7a0aff938
 
PPC:
nss_ldap-253-37.el5.ppc.rpm
File outdated by:  RHBA-2013:0251
    MD5: fcc02890e166d043c75afc4f067499aa
SHA-256: e3948bc69c3fe35d38664a921df41d13662dfe0b56e687ffd73de2192f811413
nss_ldap-253-37.el5.ppc64.rpm
File outdated by:  RHBA-2013:0251
    MD5: 3e82bc16408ccfa0eae97ff654752aae
SHA-256: 37f6ff86fc4f20488ee1487a2ef6acbcaa09bc2f74302b6461d5aa7d8e3c1f38
 
s390x:
nss_ldap-253-37.el5.s390.rpm
File outdated by:  RHBA-2013:0251
    MD5: f0e9e5b860535d007ec1c98a62207eb9
SHA-256: 54188a44dfffc8a0fe150fe050f319478db72bb45d0a8f78a785660a21a52496
nss_ldap-253-37.el5.s390x.rpm
File outdated by:  RHBA-2013:0251
    MD5: e559942f76c0304e0e2d4b2524c76f1a
SHA-256: 324bfb0a8ea9dc6a41d9fd51b2afc18bd83a1434c3cb2ffea265b39a0c07cd0d
 
x86_64:
nss_ldap-253-37.el5.i386.rpm
File outdated by:  RHBA-2013:0251
    MD5: 2b182958101830eae151898c2f114678
SHA-256: 7ac228a4f0bcf0a8ceee4aa994f5bffe20b258a7223fa0abd2255a9ef1db1242
nss_ldap-253-37.el5.x86_64.rpm
File outdated by:  RHBA-2013:0251
    MD5: fb6017d45b7e7d344c8502bfc2e1df0e
SHA-256: 8e80097fc8afe935ed3929587d396de666cafafc9c4d3039944b7815bfc39047
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
nss_ldap-253-37.el5.src.rpm
File outdated by:  RHBA-2013:0251
    MD5: 1ae37a24f1a7ac3d66896a32b68b25ed
SHA-256: f40827dc5f02807d50837599ec66d752a7c85a87e1a66dc61f53bcf772694b71
 
IA-32:
nss_ldap-253-37.el5.i386.rpm
File outdated by:  RHBA-2013:0251
    MD5: 2b182958101830eae151898c2f114678
SHA-256: 7ac228a4f0bcf0a8ceee4aa994f5bffe20b258a7223fa0abd2255a9ef1db1242
 
x86_64:
nss_ldap-253-37.el5.i386.rpm
File outdated by:  RHBA-2013:0251
    MD5: 2b182958101830eae151898c2f114678
SHA-256: 7ac228a4f0bcf0a8ceee4aa994f5bffe20b258a7223fa0abd2255a9ef1db1242
nss_ldap-253-37.el5.x86_64.rpm
File outdated by:  RHBA-2013:0251
    MD5: fb6017d45b7e7d344c8502bfc2e1df0e
SHA-256: 8e80097fc8afe935ed3929587d396de666cafafc9c4d3039944b7815bfc39047
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

468807 - The function _nss_ldap_gethostbyname_r doen't set the proper return value and errno_p when the length of name is less than required
474181 - race in fork()
500397 - spamc denials
537358 - RHEL ldap clients are not showing password expiry warning
654650 - Memory leak in nss_ldap
661630 - id returns failure when nss_ldap uses TLS and oneshot nss_connect_policy


Keywords

expiration


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/