Re: [SECURITY] [DSA 1430-1] New libnss-ldap packages fix denial of service

On Tue, Dec 11, 2007 at 10:22:13PM +0000, Steve Kemp wrote:

> Package : libnss-ldap
> Vulnerability : denial of service
> Problem type : local
> Debian-specific: no
> CVE Id(s) : CVE-2007-5794
> Debian Bug : 453868
>
> It was reported that a race condition exists in libnss-ldap, an
> NSS module for using LDAP as a naming service, which could cause
> denial of service attacks when applications use pthreads.
>
> This problem was spotted in the dovecot IMAP/POP server but
> potentially affects more programs.

I believe this vulnerability has been mislablled as a denial of service vulnerability, rather than an information disclosure vulnerability:

According to various sources, eg

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794 https://bugzilla.redhat.com/show_bug.cgi?id=154314

This bug may allow users to obtain effective credentials of a different user (under certain confurations).

It may be worth reissuing the advisory to make this clear.

Dominic.

-- 
Dominic Hargreaves | 
http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek