On Tue, Dec 11, 2007 at 10:22:13PM +0000, Steve Kemp wrote: > Package : libnss-ldap > Vulnerability : denial of service > Problem type : local > Debian-specific: no > CVE Id(s) : CVE-2007-5794 > Debian Bug : 453868 > > It was reported that a race condition exists in libnss-ldap, an > NSS module for using LDAP as a naming service, which could cause > denial of service attacks when applications use pthreads. > > This problem was spotted in the dovecot IMAP/POP server but > potentially affects more programs.
I believe this vulnerability has been mislablled as a denial of service vulnerability, rather than an information disclosure vulnerability: According to various sources, eg http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794 https://bugzilla.redhat.com/show_bug.cgi?id=154314 This bug may allow users to obtain effective credentials of a different user (under certain confurations). It may be worth reissuing the advisory to make this clear. Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
