Debian Security Advisory DSA 844-1 - A vulnerability in mod_auth_shadow, an Apache module that lets users perform HTTP authentication against /etc/shadow, has been discovered. The module runs for all locations that use the 'require group' directive which would bypass access restrictions controlled by another authorization mechanism, such as AuthGroupFile file, if the username is listed in the password file and in the gshadow file in the proper group and the supplied password matches against the one in the shadow file.
8181012eb3961d9159ac9f63277e30706b54df18f9e5c3b044c36c8b69f3972f
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 844-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
October 5th, 2005 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : mod-auth-shadow
Vulnerability : programming error
Problem type : remote
Debian-specific: no
CVE ID : CAN-2005-2963
Debian Bug : 323789
A vulnerability in mod_auth_shadow, an Apache module that lets users
perform HTTP authentication against /etc/shadow, has been discovered.
The module runs for all locations that use the 'require group'
directive which would bypass access restrictions controlled by another
authorisation mechanism, such as AuthGroupFile file, if the username
is listed in the password file and in the gshadow file in the proper
group and the supplied password matches against the one in the shadow
file.
This update requires an explicit "AuthShadow on" statement if website
authentication should be checked against /etc/shadow.
For the old stable distribution (woody) this problem has been fixed in
version 1.3-3.1woody.2.
For the stable distribution (sarge) this problem has been fixed in
version 1.4-1sarge1.
For the unstable distribution (sid) this problem has been fixed in
version 1.4-2.
We recommend that you upgrade your libapache-mod-auth-shadow package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.2.dsc
Size/MD5 checksum: 628 78a6276d158c96247f87c2a82ad337c9
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3-3.1woody.2.diff.gz
Size/MD5 checksum: 5818 e57059b3d026f4490e83ef48e7c64551
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.3.orig.tar.gz
Size/MD5 checksum: 7476 3ad4432193ac603049ad0f2fa94f2054
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_alpha.deb
Size/MD5 checksum: 12204 4f659abcf88fe710a35c09a24f6294d4
ARM architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_arm.deb
Size/MD5 checksum: 11306 ed1b93be804e3233000e7bc9951ee836
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_i386.deb
Size/MD5 checksum: 11334 a384bb22d08d3d8ad2ee76803517866f
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_ia64.deb
Size/MD5 checksum: 13488 63798f86c1cd944d5f635890b1ae7edb
HP Precision architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_hppa.deb
Size/MD5 checksum: 12048 cea187ef3898639b248c9b6f8b36e7a0
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_m68k.deb
Size/MD5 checksum: 11302 8887098ee92b1be61470b8a00ac72df9
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_mips.deb
Size/MD5 checksum: 11466 9846f15f1c98a3cbb01b12d8e8563d93
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_mipsel.deb
Size/MD5 checksum: 11458 d2ae47a2320ef6a8b45aa2354c9eebe9
PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_powerpc.deb
Size/MD5 checksum: 11372 1ce0c98e16ea699726c0e45b98de5ec6
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_s390.deb
Size/MD5 checksum: 11516 e92c004036842d0f6f79b0e5d9f64455
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.3-3.1woody.2_sparc.deb
Size/MD5 checksum: 14484 524248ef32be0bffef4dcc147eece09b
Debian GNU/Linux 3.1 alias sarge
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4-1sarge1.dsc
Size/MD5 checksum: 618 8a413e53ca39d904d95dccd1b0705693
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4-1sarge1.diff.gz
Size/MD5 checksum: 5816 4b010699db55a2c3446e71cc4af6e167
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/mod-auth-shadow_1.4.orig.tar.gz
Size/MD5 checksum: 7982 7da6ea1d72640c334fefab4e078eadd4
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_alpha.deb
Size/MD5 checksum: 13462 9a035f44ccbfec2ddedeb97ba25de685
AMD64 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_amd64.deb
Size/MD5 checksum: 12978 ffdd9eab120efbd6ad58befb069ead8d
ARM architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_arm.deb
Size/MD5 checksum: 12332 20edffd17e6cfed8bf60d50f0cf918da
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_i386.deb
Size/MD5 checksum: 12426 7e27802cc15e0478e06f00cff72c4133
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_ia64.deb
Size/MD5 checksum: 14444 b1a34f75958df70ee4566445ceb80a26
HP Precision architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_hppa.deb
Size/MD5 checksum: 13602 448068ac275fe81e7ba0d997b8bc3566
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_m68k.deb
Size/MD5 checksum: 12258 ae4ef5bdca2baaeb0067cf908e57ac09
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_mips.deb
Size/MD5 checksum: 13238 e0a0f68fb3a164bc80607ba974a05f3d
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_mipsel.deb
Size/MD5 checksum: 13248 24218030e050490cbe0578474ec46403
PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_powerpc.deb
Size/MD5 checksum: 14120 85d7a92000946e11db7ae213960c4927
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_s390.deb
Size/MD5 checksum: 12964 46951fcacb6c99c779e31c7aa21d8bf3
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-1sarge1_sparc.deb
Size/MD5 checksum: 12300 e05d59189d387427c9017180631aeba4
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDQ5unW5ql+IAeqTIRAs+2AJ9lZmcpDasrDXY+dq195W7gdvJSRgCggXNF
JL5rdx9NuQ2DbdQkwVc1acM=
=kiFO
-----END PGP SIGNATURE-----