On Fri, 14 Dec 2007 10:45:36 am Nicolas Boullis wrote: > Hi, > > Steve Kemp wrote: > > ------------------------------------------------------------------------ > > Debian Security Advisory DSA-1430-1 [EMAIL PROTECTED] > > http://www.debian.org/security/ Steve Kemp > > December 11, 2007 http://www.debian.org/security/faq > > ------------------------------------------------------------------------ > > > > Package : libnss-ldap > > Vulnerability : denial of service > > Problem type : local > > Debian-specific: no > > CVE Id(s) : CVE-2007-5794 > > Debian Bug : 453868 > > > > It was reported that a race condition exists in libnss-ldap, an > > NSS module for using LDAP as a naming service, which could cause > > denial of service attacks when applications use pthreads. > > > > This problem was spotted in the dovecot IMAP/POP server but > > potentially affects more programs. > > > > For the stable distribution (etch), this problem has been fixed in > > version 251-7.5etch1. > > > > For the old stable distribution (sarge), this problem has been fixed in > > version 238-1sarge1. > > libnss-ldap 238-1 depends on libkrb while libnss-ldap 238-1sarge1 does > not. That sounds strange. Is it expected? Is it safe to upgrade a > production server? Note from what I can see, the sarge packages (except the i386 version) did not depend on 238-1, but the etch packages do. cc'ing the maintainer, maybe he knows why.
Cheers Steffen
signature.asc
Description: This is a digitally signed message part.
