Debian Bug report logs - #392984
CVE-2006-5170: pam_ldap authentication bypass

version graph

Package: libpam-ldap; Maintainer for libpam-ldap is Richard A Nelson (Rick) <>; Source for libpam-ldap is src:libpam-ldap.

Reported by: Stefan Fritsch <>

Date: Sat, 14 Oct 2006 14:48:53 UTC

Severity: grave

Tags: patch, security

Fixed in version 180-1.2

Done: Stefan Fritsch <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to,
Bug#392984; Package libpam_ldap. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <>:
New Bug report received and forwarded. Copy sent to Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Stefan Fritsch <>
Subject: CVE-2006-5170: pam_ldap authentication bypass
Date: Sat, 14 Oct 2006 16:31:05 +0200 (CEST)
[Message part 1 (text/plain, inline)]
Package: libpam_ldap
Severity: grave
Tags: security patch
Justification: user security hole

A vulnerability has been found in libpam_ldap:
pam_ldap in nss_ldap on Red Hat Enterprise Linux 4, Fedora Core 3 and
earlier, and possibly other distributions does not return an error
condition when an LDAP directory server responds with a
PasswordPolicyResponse control response, which causes the
pam_authenticate function to return a success code even if
authentication has failed, as originally reported for xscreensaver.

See for

From the patch given in the bugreport, libpam-ldap 180-1.1 in Debian
seems to be vulnerable, too. Please mention the CVE id in the changelog.

I have attached the patch as there is only a .srpm in the redhat bug 
[pam_ldap-176-no_suppress.patch (text/plain, attachment)]

Bug reassigned from package `libpam_ldap' to `libpam-ldap'. Request was from Martin Michlmayr <> to Full text and rfc822 format available.

Reply sent to Stefan Fritsch <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at (full text, mbox):

From: Stefan Fritsch <>
Subject: Fwd: Accepted libpam-ldap 180-1.2 (source i386)
Date: Tue, 24 Oct 2006 20:45:17 +0200
Version: 180-1.2

Fixed by NMU

Hash: SHA1

Format: 1.7
Date: Sun, 22 Oct 2006 22:26:58 +0200
Source: libpam-ldap
Binary: libpam-ldap
Architecture: source i386
Version: 180-1.2
Distribution: unstable
Urgency: high
Maintainer: Stephen Frost <>
Changed-By: Moritz Muehlenhoff <>
 libpam-ldap - Pluggable Authentication Module allowing LDAP 
 libpam-ldap (180-1.2) unstable; urgency=high
   * NMU for RC security bug.
   * Fix error passing for PasswordPolicyResponse control responses.
 fdcb676bce1ec85bd537f27be2e6014b 633 admin extra 
 2c1223188cc208dadd18a5c3517872eb 20800 admin extra 
 90c30affd16764f3874d7b2dd3273a6a 62634 admin extra 

Version: GnuPG v1.4.5 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Tue, 26 Jun 2007 20:54:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Fri Apr 18 06:24:10 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.