-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		Volution Manager: Directory Administrator password in cleartext
Advisory number: 	CSSA-2002-024.0
Issue date: 		2002 June 3
Cross reference:
______________________________________________________________________________


1. Problem Description

	Volution Manager stores the unencrypted Directory
	Administrator's password in the /etc/ldap/slapd.conf file.

	This vulnerability will be corrected in the next release of
	Volution Manager.

2. Vulnerable Supported Versions


	System				Package
	----------------------------------------------------------------------
	Volution Manager 1.1		Standard


3. Solution

	Volution Manager stores the un-encrypted Directory
	Administrator's password in the /etc/ldap/slapd.conf file.
	The password line looks similar to this:

		rootpw		<clear_text_password>

	Caldera strongly recommends that you encrypt this password,
	using the following steps:

	As the root user, run slappasswd, entering your desired
	password at the prompts (the example uses newpasswd as the new
	password; the password will not be seen as you type it).

	# slappasswd
	New password: newpasswd
	Re-enter new password: newpasswd
	{SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz
	#

	The output is the new, encrypted password. In the file
	/etc/ldap/slapd.conf, replace the previous rootpw line with a
	line containing the new, encrypted password so that the line
	looks similar to this:

		rootpw		{SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz


4. References

	Specific references for this advisory:
		none

	Caldera OpenLinux security resources:
		http://www.caldera.com/support/security/index.html

	Caldera UNIX security resources:
		http://stage.caldera.com/support/security/

	This security advisory closes Caldera incidents sr864231,
	erg501574.



5. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on this website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera products.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjz73NoACgkQbluZssSXDTGtCACg4uay41Nv/PJClRDdjr7ZbHI/
G7MAnjQPJ1/PRnsXmpGsQaDBTmVBWZw4
=+bRU
-----END PGP SIGNATURE-----