[Pkg-openldap-devel] r750 - in openldap/trunk-2.1:
debian libraries/libldap
Quanah Gibson-Mount
quanah at stanford.edu
Tue Nov 14 04:11:05 CET 2006
--On Tuesday, November 14, 2006 1:54 AM +0100 Steve Langasek
<vorlon at alioth.debian.org> wrote:
> Author: vorlon
> Date: 2006-11-14 01:54:38 +0100 (Tue, 14 Nov 2006)
> New Revision: 750
>
> Modified:
> openldap/trunk-2.1/debian/changelog
> openldap/trunk-2.1/libraries/libldap/init.c
> Log:
> Don't check for user configuration files when the caller is setuid;
> addresses
># 387467, which is a potential security hole allowing libnss-ldap settings
># to
> be overridden. Thanks to Stephen Frost for bringing this to my attention.
Howard Chu notes:
[19:07] Howard Chu: that's the wrong fix
[19:07] Howard Chu: libnss-ldap should set NOINIT for its own usage.
[19:09] Quanah: so this patch doesn't really fix anything?
[19:09] Howard Chu: probably not.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
More information about the Pkg-openldap-devel
mailing list