Arthur de Jong

Security support

The latest releases of the 0.8 and 0.9 series of nss-pam-ldapd are supported and will be supported for some time with security updates. Updates will be made available in the form of a new release but patches are also made available on request.

Security advisories are sent to the the nss-pam-ldapd-announce mailing list.

Security advisories

Below is a list of security advisories and security-related notes related to nss-pam-ldapd (not all are security vulnerabilities).

• 2013-02-18: CVE-2013-0288: file descriptor buffer overflow
• 2011-03-09: CVE-2011-0438: authentication bypass for local accounts
• 2010-07-03: disallow empty passwords because some LDAP servers silently accept them
• 2010-05-07: buffer overflow: not exploitable
• 2009-11-22: problems with case-insensitive LDAP lookups
• 2009-03-22: CVE-2009-1073: insecure default permissions of configuration file
• 2007-11-20: CVE-2007-5794: not vulnerable (nss_ldap only)

Versions with known vulnerabilities

• 0.8:
  • 0.8.0 only: CVE-2011-0438: authentication bypass for local accounts
  • 0.8.0 up to 0.8.10: CVE-2013-0288: file descriptor buffer overflow
• 0.9:
  • (no known vulnerabilities)

Reporting vulnerabilities

Users are encouraged to report publicly available vulnerabilities that have not been addressed to the nss-pam-ldapd-users mailing list.

For not yet publicly known vulnerabilities, you are encouraged to send an email to arthur@arthurdejong.org (preferably PGP encrypted) with any available details. A fix and advisory will be coordinated and released as soon as possible and you will be given credit in the announcement.