On Fri, 14 Dec 2007 11:53:53 am Steffen Joeris wrote: > On Fri, 14 Dec 2007 10:45:36 am Nicolas Boullis wrote: > > Hi, > > > > Steve Kemp wrote: > > > ----------------------------------------------------------------------- > > >- Debian Security Advisory DSA-1430-1 > > > security@debian.org http://www.debian.org/security/ > > > Steve Kemp December 11, 2007 > > > http://www.debian.org/security/faq > > > ----------------------------------------------------------------------- > > >- > > > > > > Package : libnss-ldap > > > Vulnerability : denial of service > > > Problem type : local > > > Debian-specific: no > > > CVE Id(s) : CVE-2007-5794 > > > Debian Bug : 453868 > > > > > > It was reported that a race condition exists in libnss-ldap, an > > > NSS module for using LDAP as a naming service, which could cause > > > denial of service attacks when applications use pthreads. > > > > > > This problem was spotted in the dovecot IMAP/POP server but > > > potentially affects more programs. > > > > > > For the stable distribution (etch), this problem has been fixed in > > > version 251-7.5etch1. > > > > > > For the old stable distribution (sarge), this problem has been fixed in > > > version 238-1sarge1. > > > > libnss-ldap 238-1 depends on libkrb while libnss-ldap 238-1sarge1 does > > not. That sounds strange. Is it expected? Is it safe to upgrade a > > production server? > > Note from what I can see, the sarge packages (except the i386 version) did > not depend on 238-1, but the etch packages do. > cc'ing the maintainer, maybe he knows why. I meant that the sarge packages did not depend on libkrb53 of course. Sorry for the confusion. Cheers Steffen
Attachment:
signature.asc
Description: This is a digitally signed message part.