Package: dovecot
Version: 1.0.rc15-2etch4
This is a request to fix a bogus warning in dovecot's config file.
While trying to use dovecot as postfix sasl auth mechanism, I came across this
comment in /etc/dovecot/dovecot.conf
========================================
auth default {
.....
# /etc/passwd or similar, using getpwnam()
# In many systems nowadays this uses Name Service Switch, which is
# configured in /etc/nsswitch.conf. WARNING: nss_ldap is known to be broken
# with Dovecot. Don't use it, or users might log in as each others!
# http://wiki.dovecot.org/AuthDatabase/Passwd
userdb passwd {
}
========================================
I did some research starting on the given wiki page. That page gives a
workaround for dovecot 1.0.rc23 and later, but etch has 1.0.rc15.
Following the bug referenced, I found that root of the problem was fixed in
libnss-ldap (251-7.5etch1)
# Fix race condition, which could lead to a DoS, when applications
# use pthread and fork after a call to nss_ldap Fixes: CVE-2007-5794
The link for CVE http://secunia.com/advisories/cve_reference/CVE-2007-5794/
So, there seems to be no risk in using libnss-ldap and dovecot+PAM in etch.
The comment should be removed or expanded to explain that a problem 'was'
present but fixed with libnss-ldap version 251-7.5etch1.
--
Gokdeniz Karadag
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
