发布日期：2004-05-17
更新日期：2004-05-25

受影响系统：

MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
MandrakeSoft Linux Mandrake 9.2 amd64
MandrakeSoft Linux Mandrake 9.2
MandrakeSoft Linux Mandrake 9.1 ppc
MandrakeSoft Linux Mandrake 9.1
MandrakeSoft Linux Mandrake 9.0
MandrakeSoft Linux Mandrake 8.2
MandrakeSoft Linux Mandrake 10.0
MandrakeSoft Multi Network Firewall 8.2

描述：

---

BUGTRAQ  ID: 10370
CVE(CAN) ID: CVE-2004-2394

Mandrake Linux是一款开放源代码操作系统。

Mandrake Linux的passwd实现存在问题，可能导致安全级别降低，用户不能登录等问题。

根据报告，Mandrake Linux通过stdin提供给passwd的密码比预想的要少一字符，目前还不清楚是否会在交互提示状况下发生。这可导致用户密码存储不正确或用户不能登录。

另外PAM不正确初始化和"safe and proper""操作存在一定问题。

<*来源：Steve Grubb （linux_4ever@yahoo.com）
  
  链接：http://www.linux-mandrake.com/en/security/2004/2004-045.php
*>

建议：

---

厂商补丁：

MandrakeSoft
------------
MandrakeSoft已经为此发布了一个安全公告（MDKSA-2004:045）以及相应补丁:
MDKSA-2004:045：Updated passwd packages fix vulnerabilities
链接：http://www.linux-mandrake.com/en/security/2004/2004-045.php

补丁下载：

Updated Packages:

Mandrakelinux 10.0:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/passwd-0.68-2.2.100mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/SRPMS/passwd-0.68-2.2.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/passwd-0.68-2.2.100mdk.amd64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/SRPMS/passwd-0.68-2.2.100mdk.src.rpm

Corporate Server 2.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/passwd-0.67-5.2.C21mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/passwd-0.67-5.2.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/passwd-0.67-5.2.C21mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/SRPMS/passwd-0.67-5.2.C21mdk.src.rpm

Mandrakelinux 9.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/passwd-0.68-2.2.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/passwd-0.68-2.2.91mdk.src.rpm

Mandrakelinux 9.1/PPC:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/passwd-0.68-2.2.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/passwd-0.68-2.2.91mdk.src.rpm

Mandrakelinux 9.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/passwd-0.68-2.2.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/SRPMS/passwd-0.68-2.2.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/passwd-0.68-2.2.92mdk.amd64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/SRPMS/passwd-0.68-2.2.92mdk.src.rpm

Multi Network Firewall 8.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/mnf8.2/RPMS/passwd-0.64.1-9.2.M82mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/mnf8.2/SRPMS/passwd-0.64.1-9.2.M82mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi.  The verification
of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php


上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载：
http://www.mandrakesecure.net/en/ftp.php

浏览次数：3394
严重程度：0（网友投票）