Re: Security problem with slapd/slurpd?

To: debian-security@lists.debian.org
Cc: slapd@packages.debian.org
Subject: Re: Security problem with slapd/slurpd?
From: Matt Zimmerman <mdz@debian.org>
Date: Thu, 17 Oct 2002 11:15:31 -0400
Message-id: <[🔎] 20021017151531.GC21812@alcor.net>
Mail-followup-to: debian-security@lists.debian.org, slapd@packages.debian.org
In-reply-to: <[🔎] 20021016090811.GA17872@newton.rcost.unisannio.it>
References: <[🔎] 20021016090811.GA17872@newton.rcost.unisannio.it>

On Wed, Oct 16, 2002 at 11:08:11AM +0200, Massimiliano Mirra wrote:

> When slapd (LDAP server daemon) is configured to replicate itself to
> another server, on each addition/modification to the directory it will
> store the changes to be replicated in /var/lib/ldap/replog.  This
> directory is world readable and entries like userPassword will be visible
> (although on sensible setups they will already be hashed to MD5 or SHA).
> slurpd will then pick the changes up, push them to the slave directory,
> and store them in /var/spool/slurpd/replica/slurpd.replog, which is a
> complete log of changes applied by slurpd and is world readable as well.
> 
> Am I missing something or should a bug be filed?

It sounds like a bug, but if you are unsure you should contact the
maintainer of the slapd package (CC'd), who is more capable of answering
authoritatively than the debian-security mailing list.

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: Security problem with slapd/slurpd?
  - From: Torsten Landschoff <torsten@debian.org>

References:
- Security problem with slapd/slurpd?
  - From: Massimiliano Mirra <list@chromatic-harp.com>

Prev by Date: Re: apache and postgresql in woody still have a security problem?
Next by Date: Re: grsecurity patch (woody kernel 2.4.18)
Previous by thread: Re: Security problem with slapd/slurpd?
Next by thread: Re: Security problem with slapd/slurpd?
Index(es):
- Date
- Thread