Subject: Re: pullup security/pam-ldap update to 2005Q2?
To: Matthias Drochner <M.Drochner@fz-juelich.de>
From: Geert Hendrickx <email@example.com>
Date: 09/08/2005 12:04:33
On Wed, Sep 07, 2005 at 06:38:32PM +0200, Matthias Drochner wrote:
> firstname.lastname@example.org said:
> > Can anyone request a pullup of the recent pam-ldap security fix to
> > pkgsrc-2005Q2?
> I had considered this, but there is a difficulty: I've changed the config
> file location to a more specific name to have it nicely coexist with the
> recently added nss_ldap pkg. It is probably not a good idea to have such
> changes within a "stable" branch. The security vulnerability is a minor
> one (it needs a manipulated LDAP server as I understand it -- if someone
> is able to do this he can also supply known passwords).
> If an update is considered really necessary, one might add an INSTALL
> script which copies over the old setup file.
> (Actually, I'm curious whether anyone uses pam-ldap at all. It is almost
> useless without an nss_ldap to get at the other passwd fields.)
Ok then. I was just looking into LDAP authentication and I noticed that
the version in 2005Q2 is vulnerable. But anyway, I think I can better go
with Kerberos, right?