PublicDateAtUSN: 2010-07-26
Candidate: CVE-2010-0833
PublicDate: 2010-07-28 12:48:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0833
 https://ubuntu.com/security/notices/USN-964-1
Description:
 The pam_lsass library in Likewise Open 5.4 and CIFS 5.4 before build 8046,
 and 6.0 before build 8234, as used in HP StorageWorks X9000 Network Storage
 Systems and possibly other products, uses "SetPassword logic" when running
 as part of a root service, which allows remote attackers to bypass
 authentication for a Likewise Security Authority (lsassd) account whose
 password is marked as expired.
Ubuntu-Description: 
 Matt Weatherford discovered that Likewise Open did not correctly check
 password expiration for the local-provider account. A local attacker
 could exploit this to log into a system they would otherwise not have
 access to.
Notes: 
Bugs: 
Priority: medium
Discovered-by: Matt Weatherford
Assigned-to: kees
CVSS: 

Patches_likewise-open:
upstream_likewise-open: released (5.4.1)
dapper_likewise-open: DNE
hardy_likewise-open: not-affected
jaunty_likewise-open: not-affected
karmic_likewise-open: not-affected
lucid_likewise-open: released (5.4.0.42111-2ubuntu1.1)
devel_likewise-open: released (5.4.0.42111-2ubuntu1.2)