From security@caldera.com Tue Jun 4 08:50:22 2002 From: security@caldera.com To: bugtraq@securityfocus.com, announce@lists.caldera.com, security-alerts@linuxsecurity.com Date: Mon, 3 Jun 2002 13:58:59 -0700 Subject: Security Update: [CSSA-2002-024.0] Volution Manager: Directory Administrator password in cleartext To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Volution Manager: Directory Administrator password in cleartext Advisory number: CSSA-2002-024.0 Issue date: 2002 June 3 Cross reference: ______________________________________________________________________________ 1. Problem Description Volution Manager stores the unencrypted Directory Administrator's password in the /etc/ldap/slapd.conf file. This vulnerability will be corrected in the next release of Volution Manager. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- Volution Manager 1.1 Standard 3. Solution Volution Manager stores the un-encrypted Directory Administrator's password in the /etc/ldap/slapd.conf file. The password line looks similar to this: rootpw Caldera strongly recommends that you encrypt this password, using the following steps: As the root user, run slappasswd, entering your desired password at the prompts (the example uses newpasswd as the new password; the password will not be seen as you type it). # slappasswd New password: newpasswd Re-enter new password: newpasswd {SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz # The output is the new, encrypted password. In the file /etc/ldap/slapd.conf, replace the previous rootpw line with a line containing the new, encrypted password so that the line looks similar to this: rootpw {SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz 4. References Specific references for this advisory: none Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html Caldera UNIX security resources: http://stage.caldera.com/support/security/ This security advisory closes Caldera incidents sr864231, erg501574. 5. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. ______________________________________________________________________________ [Part 2, Application/PGP-SIGNATURE 245bytes] [Unable to print this part]