Re: [SECURITY] [DSA 1430-1] New libnss-ldap packages fix denial of service

On Fri, 14 Dec 2007 10:45:36 am Nicolas Boullis wrote:
> Hi,
>
> Steve Kemp wrote:
> > ------------------------------------------------------------------------
> > Debian Security Advisory DSA-1430-1 security@debian.org
> > http://www.debian.org/security/ Steve Kemp
> > December 11, 2007 http://www.debian.org/security/faq
> > ------------------------------------------------------------------------
> >
> > Package : libnss-ldap
> > Vulnerability : denial of service
> > Problem type : local
> > Debian-specific: no
> > CVE Id(s) : CVE-2007-5794
> > Debian Bug : 453868
> >
> > It was reported that a race condition exists in libnss-ldap, an
> > NSS module for using LDAP as a naming service, which could cause
> > denial of service attacks when applications use pthreads.
> >
> > This problem was spotted in the dovecot IMAP/POP server but
> > potentially affects more programs.
> >
> > For the stable distribution (etch), this problem has been fixed in
> > version 251-7.5etch1.
> >
> > For the old stable distribution (sarge), this problem has been fixed in
> > version 238-1sarge1.
>
> libnss-ldap 238-1 depends on libkrb while libnss-ldap 238-1sarge1 does
> not. That sounds strange. Is it expected? Is it safe to upgrade a
> production server?

Note from what I can see, the sarge packages (except the i386 version) did not depend on 238-1, but the etch packages do. cc'ing the maintainer, maybe he knows why.

Cheers
Steffen

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: This is a digitally signed message part.