Summary: | sys-auth/nss_ldap < 258 race condition (CVE-2007-5794) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ldap-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/27670/ | ||
Whiteboard: | B4? [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2007-11-07 19:29:49 UTC
ldap-bugs please advise. Both patches on the RH Bugzie URL are already present upstream as of nss_ldap-256, so all we need to do is stabilize nss_ldap-257.2 (which has been in the tree 29 days already). I'm aware of bug 198408 that was a build weirdness, and bug 165638 for the kerberos folk - but neither of these should hold back 257.2 going to stable. Also, this raises bug 197467 to being security critical, you'll have to chase amd64 there to bump that package and stabilize/issue GLSA. minor update, I just put nss_ldap-258 into the tree, it contained a singular upstream change (5 lines only) fixing nss_srv_domain usage, and I put the kerberos fix in at the same time, and hopefully resolved the build bug 198408. It may be a better candidate than 257.2 for that reason. (In reply to comment #3) > and hopefully resolved the build bug 198408. > It may be a better candidate than 257.2 for that reason. Let's wait for a reply for today. > Also, this raises bug 197467 to being security critical, you'll have to chase > amd64 there to bump that package and stabilize/issue GLSA. I added it to our emul-baselibs bug 196865. rbu/security: bug 198408 resolved and 258 works for that user now, you can go for stabilizing 258. Thx Robbat. Arches please test and mark stable. Target keywords are: nss_ldap-258.ebuild:KEYWORDS="alpha amd64 hppa mips ppc ppc64 sparc x86" Stable for HPPA. ppc64 stable x86 stable alpha/sparc stable ppc stable amd64 stable Voting YES because of the high impact of dovecot returning wrong inboxes. yes too, request filed. GLSA 200711-33 |