Prev-20 Home Next-20 3 msg Debian suggestion on File Deletion 2 msg Squid Proxy Cache Security Update Advisory SQUI... Re: [SECURITY] [DSA 1430-1] New libnss-ldap pac... \ Dominic Hargreaves (11 Dec 2007) . \ Nicolas Boullis (14 Dec 2007) . . \ Steffen Joeris (14 Dec 2007) . . . \ Steffen Joeris (14 Dec 2007) . . . . \ Nicolas Boullis (14 Dec 2007) . . . . . \ Steffen Joeris (14 Dec 2007) 4 msg Re: [SECURITY] [DSA 1481-1] New Linux 2.6.18 pa... 8 msg Re: [SECURITY] [DSA 1422-1] New e2fsprogs packa... 2 msg nmap Xmas scans and unrecognized outcoming conn... 1 msg Export business of electrical equipments (pleas... 3 msg 'Debian hardened' ;-) 1 msg (intet emne) 1 msg Chatting online 1 msg Daniel Pressler/Heilbronn/Bechtle-Gruppe/DE ist... 2 msg Re: [SECURITY] [DSA 1409-2] New samba packages ... 1 msg Re: [SECURITY] [DSA 1400-1] New perl packages f... 2 msg Permission changes with rsync 3 msg [SECURITY] [DSA 1409-1] New samba packages fix ... 1 msg this bug/#438871 - jabber: do not run as group:adm 1 msg Re: Security Servers down ??? 4 msg QA needed for insecure LD_LIBRARY_PATH in many ... 1 msg Oldrich Melski je mimo kancelář. 2 msg Re: perl regex vulnerability - debian - pcre only? Prev-20 Home Next-20

Prev-Msg Prev-Thread Debian-security Dec-2007 Next-Thread Next-Msg Subject: Re: [SECURITY] [DSA 1430-1] New libnss-ldap packages fix denial of service Group: Debian-security From: Dominic Hargreaves Date: 11 Dec 2007 On Tue, Dec 11, 2007 at 10:22:13PM +0000, Steve Kemp wrote: > Package : libnss-ldap > Vulnerability : denial of service > Problem type : local > Debian-specific: no > CVE Id(s) : CVE-2007-5794 > Debian Bug : 453868 > > It was reported that a race condition exists in libnss-ldap, an > NSS module for using LDAP as a naming service, which could cause > denial of service attacks when applications use pthreads. > > This problem was spotted in the dovecot IMAP/POP server but > potentially affects more programs. I believe this vulnerability has been mislablled as a denial of service vulnerability, rather than an information disclosure vulnerability: According to various sources, eg http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794 https://bugzilla.redhat.com/show_bug.cgi?id=154314 This bug may allow users to obtain effective credentials of a different user (under certain confurations). It may be worth reissuing the advisory to make this clear. Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-security-REQUEST with a subject of "unsubscribe". Trouble? Contact listmaster Prev-Msg Prev-Thread Debian-security Dec-2007 Next-Thread Next-Msg

© 2004-2008 readlist.com