Re: [SECURITY] [DSA 1430-1] New libnss-ldap packages fix denial of service

Hi,

Steve Kemp wrote:
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-1430-1 security@debian.org
> http://www.debian.org/security/ Steve Kemp
> December 11, 2007 http://www.debian.org/security/faq
> ------------------------------------------------------------------------
>
> Package : libnss-ldap
> Vulnerability : denial of service
> Problem type : local
> Debian-specific: no
> CVE Id(s) : CVE-2007-5794
> Debian Bug : 453868
>
> It was reported that a race condition exists in libnss-ldap, an
> NSS module for using LDAP as a naming service, which could cause
> denial of service attacks when applications use pthreads.
>
> This problem was spotted in the dovecot IMAP/POP server but
> potentially affects more programs.
>
> For the stable distribution (etch), this problem has been fixed in version
> 251-7.5etch1.
>
> For the old stable distribution (sarge), this problem has been fixed in
> version 238-1sarge1.

libnss-ldap 238-1 depends on libkrb while libnss-ldap 238-1sarge1 does not. That sounds strange. Is it expected? Is it safe to upgrade a production server?

Cheers,

Nicolas

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org