[Pkg-openldap-devel] slapd: dangerous access rule in default config
Yves-Alexis Perez
corsac at debian.org
Tue Jan 20 06:06:47 UTC 2015
On mar., 2015-01-20 at 11:03 +1100, Brian May wrote:
> I realize we are getting close to a release for Jessie, however I feel that
> a security bug that allows changing your user id to 0 using default
> configuration from our stable release deserves a security fix, or at least
> a security notification asking administrators to check that they are not
> vulnerable.
>
> (I only found out about this because it was mentioned at a talk at LCA2015)
>
> Please consider stable users when fixing security issues in unstable.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406
>
> The latest version for wheezy is 2.4.31-1+nmu2, which does have this
> problem.
Hi,
thanks for the notice. At first sight, since it's really vulnerable
when used with local authentication, I would have advised to use a stable upload.
But considering the silent configuration update (which might surprise
people, especially in stable) and the fact we don't really know how
administrators might use user attributes to handle authorizations, it
might makes sense to release a DSA, in order to have more exposure.
OpenLDAP team, what do you think? I can also request a CVE on oss-sec,
so we have a broader idea of what security people think about this.
Regards,
--
Yves-Alexis Perez - Debian Security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20150120/fe92738a/attachment.sig>
More information about the Pkg-openldap-devel
mailing list