Subject: Re: pullup security/pam-ldap update to 2005Q2?
To: Matthias Drochner <>
From: Geert Hendrickx <>
List: tech-pkg
Date: 09/08/2005 12:04:33
On Wed, Sep 07, 2005 at 06:38:32PM +0200, Matthias Drochner wrote:
> said:
> > Can anyone request a pullup of the recent pam-ldap security fix to
> > pkgsrc-2005Q2?   
> I had considered this, but there is a difficulty: I've changed the config
> file location to a more specific name to have it nicely coexist with the
> recently added nss_ldap pkg.  It is probably not a good idea to have such
> changes within a "stable" branch. The security vulnerability is a minor
> one (it needs a manipulated LDAP server as I understand it -- if someone
> is able to do this he can also supply known passwords).
> If an update is considered really necessary, one might add an INSTALL
> script which copies over the old setup file.
> (Actually, I'm curious whether anyone uses pam-ldap at all.  It is almost
> useless without an nss_ldap to get at the other passwd fields.)

Ok then.  I was just looking into LDAP authentication and I noticed that
the version in 2005Q2 is vulnerable.  But anyway, I think I can better go
with Kerberos, right?