Hi, Steve Kemp wrote: > ------------------------------------------------------------------------ > Debian Security Advisory DSA-1430-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Steve Kemp > December 11, 2007 http://www.debian.org/security/faq > ------------------------------------------------------------------------ > > Package : libnss-ldap > Vulnerability : denial of service > Problem type : local > Debian-specific: no > CVE Id(s) : CVE-2007-5794 > Debian Bug : 453868 > > It was reported that a race condition exists in libnss-ldap, an > NSS module for using LDAP as a naming service, which could cause > denial of service attacks when applications use pthreads. > > This problem was spotted in the dovecot IMAP/POP server but > potentially affects more programs. > > For the stable distribution (etch), this problem has been fixed in version > 251-7.5etch1. > > For the old stable distribution (sarge), this problem has been fixed in > version 238-1sarge1.
libnss-ldap 238-1 depends on libkrb while libnss-ldap 238-1sarge1 does not. That sounds strange. Is it expected? Is it safe to upgrade a production server? Cheers, Nicolas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
