Re: Freeze exception for sssd?
[Petter Reinholdtsen]
> [Petter Reinholdtsen]
>> These are the changelog entries since the version currently in
>> testing:
>
> Since my first request for a freeze exception, a serious security
> issue was discovered and fixed. I just uploaded the fix. This is the
> changelog:
>
> sssd (1.2.1-4) unstable; urgency=low
>
> * Add patch from Stephen Gallagher to ensure LDAP authentication
> never accept a zero length password (Closes: #594413). Solves
> CVE-2010-2940.
>
> -- Petter Reinholdtsen <pere@debian.org> Wed, 25 Aug 2010 22:33:40 +0200
>
> JFYI.
Any news on this freeze exception request? I believe the sssd package
in squeeze is unreleasable with bug #594413 in place, so it would be
very nice if a fix would make it into squeeze soon.
The fix was uploaded to unstable 4 days ago, with I admit wrong
urgency low instead of high, and it would be nice if those using sssd
with LDAP authentication in Squeeze can get their security back
soon. :)
Luckily there are very few users of sssd according to
popcon.debian.org. :)
Happy hacking,
--
Petter Reinholdtsen
Reply to: