[Pkg-openldap-devel] slapd: dangerous access rule in default config
Yves-Alexis Perez
corsac at debian.org
Tue Jan 27 16:35:08 UTC 2015
On mar., 2015-01-27 at 08:26 -0800, Ryan Tandy wrote:
> If I understand correctly, you plan to allocate a CVE, perform a
> security upload to add the warning, and issue a DSA about it.
Actually, what I think is that a lot of people are unaware of that
configuration glitch, and bad people might currently be exploiting that.
So yes, I'd like to have some exposure so people can fix their setup.
Right now we don't have a specific idea on how to “fix” that in stable.
Silently changing the ACLs would fix the problem for all people, but
might also break things indeed, for people relying on that “feature”.
Adding a debconf note will give some exposure on top of the DSA,
although I'm not sure that'd be enough.
> Is that
> right? An automatic configuration change was mentioned in the context
> above, is that also a possibility?
In any case, I'd trust you as slapd maintainers to take the right
decision :)
>
> How can I help? By providing a debdiff for the backported change? By
> contacting upstream about fixing their documentation? Anything else? (By
> getting the mailing list fixed, certainly...)
Upstream contact would be nice. For the stable upload, there's no rush
(since the thing is already public right now and we just want exposure
so people are somehow forced to fix their setup).
Regards,
--
Yves-Alexis Perez - Debian Security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20150127/612518e8/attachment.sig>
More information about the Pkg-openldap-devel
mailing list