Stay Secure with the Latest Linux Advisories

security advisoryinformation leakcritical

Debian: DSA-1517-1 Critical: ldapscripts Local Information Leak

Don Armstrong discovered that ldapscripts, a suite of tools to manipulate user accounts in LDAP, sends the password as a command line argument when calling LDAP programs, which may allow a local attacker to read this password from the process listing.. - ------------------------------------------------------------------------Debian Security Advisory DSA-1517-1 This email address is being protected from spambots. You need JavaScript enabled to view it. http://www.debian.org/security/ Thijs Kinkhorst March 15, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------Package : ldapscripts Vulnerability : programming error Problem type : local Debian-specific: no CVE Id(s) : CVE-2007-5373 Debian Bug : 445582 Don Armstrong discovered that ldapscripts, a suite of tools to manipulate user accounts in LDAP, sends the password as a command line argument when calling LDAP programs, which may allow a local attacker to read this password from the process listing. For the stable distribution (etch), this problem has been fixed in version 1.4-2etch1. The old stable distribution (sarge) does not contain an ldapscripts package. For the unstable distribution (sid), this problem has been fixed in version 1.7.1-2. We recommend that you upgrade your ldapscripts package. Upgrade instructions - --------------------wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - -------------------------------Source archives: Size/MD5 checksum: 18812 3e063297a5188922803a451cdbf7dd61 Size/MD5 checksum: 84294d4fd01f12940bf2272cf9b2a27e34c5 Size/MD5 checksum: 883 dabe3144f01910f1f055a2a6d9b63148 Architecture independent packages: Size/MD5 checksum: 28482 52a069bdb720fb9d9897f96dbc150c8a These files will probably be moved into the stable distribution on its next update. - ---------------------------------------------------------------------------------For apt-get: deb https://www.debian.org/security/ stable/updates main For dpkg-ftp: dists/stable/updates/main Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. . Enhance ldapscripts on Debian to rectify local data exposure vulnerabilities identified by Don Armstrong.. Debian Security, ldapscripts, information leak, local threat. . Severity: Critical. LinuxSecurity.com Team

Mar 15, 2008 •Critical Debian