[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security/2006/dsa-1204.wml

æ‰å±±ã§ã™ã€‚

On Sun, 3 Dec 2006 02:28:46 +0900, KISE Hiroshi wrote:
> From: SUGIYAMA Tomoaki <tomos@xxxxxxxxxxxxxxxx>

> > <p>Ingo é›»å­ãƒ¡ãƒ¼ãƒ«ãƒ•ã‚£ãƒ«ã‚¿ãƒ«ãƒ¼ãƒ«ãƒžãƒãƒ¼ã‚¸ãƒ£ãŒã€ä½œæˆã•ã‚ŒãŸ procmail
> > ルールファイル中ã®ãƒ¦ãƒ¼ã‚¶ã‹ã‚‰æä¾›ã•ã‚ŒãŸãƒ‡ãƒ¼ã‚¿ã®é€€é¿ã‚’å分ã«è¡Œã£ã¦ã„ãªã„ã“ã¨ãŒç™ºè¦‹ã•ã‚Œã¾ã—ãŸ
> > ã“ã®å•é¡Œã«ã‚ˆã‚Šã€ä»»æ„ã®ã‚·ã‚§ãƒ«ã‚³ãƒžãƒ³ãƒ‰ã‚’実行ã™ã‚‹ã“ã¨ãŒå¯èƒ½ã§ã™ã€‚</p>

> >> It was discovered that the Ingo email filter rules manager performs
> >> insufficient escaping of user-provided data in created procmail rules
> >> files, which allows the execution of arbitrary shell commands.

> ã“ã“ã§ã®â€œescapingâ€ã¯ãã®ã¾ã¾ã€Œã‚¨ã‚¹ã‚±ãƒ¼ãƒ—(処ç†)ã€ã§ã‚ˆã„ã‹ã¨ã€‚

ã„ã¤ã‚‚ã‚ã‚ŠãŒã¨ã†ã”ã–ã„ã¾ã™ã€‚「エスケープ処ç†ã€ã«ä¿®æ­£ã—ã¦ç™»éŒ²ã—ã¦
ãŠãã¾ã—ãŸã€‚ã¾ãŸä»¥ä¸‹ã® security/2006/dsa-1203.wml ã®ä»¶

On Sun, 3 Dec 2006 02:50:41 +0900, KISE Hiroshi wrote:
> Subject: security/2006/dsa-1203.wml
> > <p>Steve Rigler ã•ã‚“ã«ã‚ˆã‚Šã€LDAP
> > サーãƒã«å¯¾ã™ã‚‹èªè¨¼ç”¨ã® PAM モジュールãŒã€PasswordPolicyReponse
> > コントロールメッセージã®å‡¦ç†ã‚’誤ã£ã¦ã„ã‚‹ã“ã¨ãŒç™ºè¦‹ã•ã‚Œã¾ã—ãŸã€‚
> > ã“ã®å•é¡Œã«ã‚ˆã‚Šã€ã‚µã‚¹ãƒšãƒ³ãƒ‰ã•ã‚ŒãŸã‚·ã‚¹ãƒ†ãƒ ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã«æ”»æ’ƒè€…ãŒãƒ­ã‚°ã‚¤ãƒ³ã™ã‚‹ã“ã¨ãŒå¯èƒ½ã§ã™ã€‚</p>

> >> Steve Rigler discovered that the PAM module for authentication
> >> against LDAP servers processes PasswordPolicyReponse control
> >> messages incorrectly, which might lead to an attacker being able to
> >> login into a suspended system account.

> “suspendedâ€ã§ã™ãŒã€ä»Šå›žã¯ã‚¢ã‚«ã‚¦ãƒ³ãƒˆãŒãƒ­ãƒƒã‚¯ã•ã‚Œã¦ã„る状態ã®
> ã“ã¨ã‚’指ã—ã¦ã„ã¾ã™ã®ã§ã€
> 「(一時åœæ­¢|åœæ­¢|ロック)ã•ã‚Œã¦ã„るシステムアカウント〜ã€
> ã§ã„ã‹ãŒã§ã—ょã†ã€‚

ã¯ï¼Œã€Œåœæ­¢ã•ã‚Œã¦ã„るシステムアカウントã€ã«ä¿®æ­£ (ã¨ã„ã†ã‹ï¼Œã‹ã­ã“ã•ã‚“
訳ã®ã‚ˆã†ã«æˆ») ã—ã¦ç™»éŒ²ã—ã¦ãŠãã¾ã—ãŸã€‚

--
æ‰å±±å‹ç«