On Mon, 2010-12-27 at 16:36 +0100, Julien Cristau wrote: > > Also, do you think it is a good idea to highlight the switch to > > nss-pam-ldapd a bit more in the "What's new" section? I think it should > > also be a good idea to switch for people not affected by this specific > > problem. I can provide a patch if needed. > > Sounds like a good plan to me. I will prepare a patch (or would you prefer something in the NewInSqueeze wiki page?). Do you want me to commit this part (new version attached)? > > <title>Potential problems</title> > > -<para> > > +<para> > > Sometimes, changes introduced in a new release have side-effects > > Unrelated, please drop this hunk. Oops, editor automatically removing trailing spaces. > I think schroot may be affected as well (#589884). Rephrased a bit and added schroot. > > + Note that <systemitem role="package">libnss-ldapd</systemitem> recommends > > + the NSS caching daemon (<command>nscd</command>) which you should evaluate > > + for suitability in your environment before installing. > > Maybe mention unscd here, it's supposedly less crashy than nscd. I didn't think unscd would make it into squeeze but it's great that it will. I've added a line about unscd. I'm using unscd on my box without issues but then again, I never really ran into major issues with nscd. -- -- arthur - adejong@debian.org - http://people.debian.org/~adejong --
Index: en/release-notes.dbk =================================================================== --- en/release-notes.dbk (revision 7951) +++ en/release-notes.dbk (working copy) @@ -390,6 +390,14 @@ <glossdef><para>Serial Advanced Technology Attachment</para></glossdef> </glossentry> <glossentry> + <glossterm>SSL</glossterm> + <glossdef><para>Secure Sockets Layer</para></glossdef> + </glossentry> + <glossentry> + <glossterm>TLS</glossterm> + <glossdef><para>Transport Layer Security</para></glossdef> + </glossentry> + <glossentry> <glossterm>USB</glossterm> <glossdef><para>Universal Serial Bus</para></glossdef> </glossentry> Index: en/issues.dbk =================================================================== --- en/issues.dbk (revision 7951) +++ en/issues.dbk (working copy) @@ -434,6 +434,44 @@ </para> </section> +<section id="ldap"> + <title><acronym>LDAP</acronym> support</title> + <indexterm><primary>LDAP</primary></indexterm> + <para> + A feature in the cryptography libraries used in the + <acronym>LDAP</acronym> libraries causes programs that use + <acronym>LDAP</acronym> and attempt to change their effective + privileges to fail when connecting to an <acronym>LDAP</acronym> + server using <acronym>TLS</acronym> or <acronym>SSL</acronym>. + This can cause problems for suid programs on systems using + <systemitem role="package">libnss-ldap</systemitem> like + <command>sudo</command>, <command>su</command> or + <command>schroot</command> and for suid programs that perform LDAP + searches like <systemitem role ="package">sudo-ldap</systemitem>. + </para> + <para> + It is recommended to replace the + <systemitem role="package">libnss-ldap</systemitem> package with + <systemitem role="package">libnss-ldapd</systemitem>, a newer library + which uses separate daemon (<command>nslcd</command>) for all + <acronym>LDAP</acronym> lookups. The replacement for + <systemitem role="package">libpam-ldap</systemitem> is + <systemitem role="package">libpam-ldapd</systemitem>. + </para> + <para> + Note that <systemitem role="package">libnss-ldapd</systemitem> recommends + the NSS caching daemon (<systemitem role="package">nscd</systemitem>) + which you should evaluate for suitability in your environment before + installing. + As an alternative to <systemitem role="package">nscd</systemitem> you + can consider <systemitem role="package">unscd</systemitem>. + </para> + <para> + Further information is available in bugs + <ulink url="&url-bts;566351">#566351</ulink> and + <ulink url="&url-bts;545414">#545414</ulink>. + </para> +</section> <section id="kde-desktop-changes" condition="fixme"> <title>KDE desktop</title>
Attachment:
signature.asc
Description: This is a digitally signed message part