Hosting Provided By

Re: [SECURITY] [DSA 1430-1] New libnss-ldap packages fix denial of service

From: Steffen Joeris <steffen.joeris(at)skolelinux.de>
Date: Fri Dec 14 2007 - 06:02:56 EST

On Fri, 14 Dec 2007 11:53:53 am Steffen Joeris wrote:
> On Fri, 14 Dec 2007 10:45:36 am Nicolas Boullis wrote:
> > Hi,
> >
> > Steve Kemp wrote:
> > > -----------------------------------------------------------------------
> > >- Debian Security Advisory DSA-1430-1
> > > security(at)debian.org http://www.debian.org/security/
> > > Steve Kemp December 11, 2007
> > > http://www.debian.org/security/faq
> > > -----------------------------------------------------------------------
> > >-
> > >
> > > Package : libnss-ldap
> > > Vulnerability : denial of service
> > > Problem type : local
> > > Debian-specific: no
> > > CVE Id(s) : CVE-2007-5794
> > > Debian Bug : 453868
> > >
> > > It was reported that a race condition exists in libnss-ldap, an
> > > NSS module for using LDAP as a naming service, which could cause
> > > denial of service attacks when applications use pthreads.
> > >
> > > This problem was spotted in the dovecot IMAP/POP server but
> > > potentially affects more programs.
> > >
> > > For the stable distribution (etch), this problem has been fixed in
> > > version 251-7.5etch1.
> > >
> > > For the old stable distribution (sarge), this problem has been fixed in
> > > version 238-1sarge1.
> >
> > libnss-ldap 238-1 depends on libkrb while libnss-ldap 238-1sarge1 does
> > not. That sounds strange. Is it expected? Is it safe to upgrade a
> > production server?

> Note from what I can see, the sarge packages (except the i386 version) did
> not depend on 238-1, but the etch packages do.
> cc'ing the maintainer, maybe he knows why.
I meant that the sarge packages did not depend on libkrb53 of course.

Sorry for the confusion.

Cheers
Steffen

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: This is a digitally signed message part.

Received on Fri Dec 14 06:03:56 2007

This message: [ Message body ]
Next message: Tirla Adrian: "large campus network ... sugestions"
Previous message: Steffen Joeris: "Re: [SECURITY] [DSA 1430-1] New libnss-ldap packages fix denial of service"
In reply to: Steffen Joeris: "Re: [SECURITY] [DSA 1430-1] New libnss-ldap packages fix denial of service"
Next in thread: Nicolas Boullis: "Re: [SECURITY] [DSA 1430-1] New libnss-ldap packages fix denial of service"
Reply: Nicolas Boullis: "Re: [SECURITY] [DSA 1430-1] New libnss-ldap packages fix denial of service"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:54:27 EDT