How about a brief debconf notice with a pointer to "further info" which would be an expanded version in NEWS.Debian?
Those same users are also way less likely to understand the issue, so a "words of one syllable approach" would seem sensible to me. -----Original Message----- From: Ryan Tandy [mailto:r...@nardis.ca] Sent: Thursday, 18 September 2014 4:43 p.m. To: 761...@bugs.debian.org Subject: Bug#761406: debconf notice or NEWS.Debian entry? Hi pkg-openldap-devel readers, On 13/09/14 12:05 PM, Ryan Tandy wrote: > On 13/09/14 08:41 AM, Dietrich Clauss wrote: >> When the LDAP is used to authenticate users (e.g. in conjunction with >> libnss-ldapd and libpam-ldapd), the rule "olcAccess: to * by self >> write" allows the user to change her uidNumber and impersonate >> another user. >> >> IMO the default config should allow self-write access to userPassword >> and shadowLastChange only. > > Thanks for the report. I've removed the offending 'by self write' in > git. I'm not sure why that was added in the first place. The default > slapd.conf didn't have it and I didn't find any comments about it. > > I don't think I'm comfortable doing an automated ACL change to > existing installs. A NEWS.Debian entry suggesting the change (and > mentioning how to do it) might be appropriate, though. What do you think: an entry in NEWS.Debian, or a debconf notice (conditional on detecting a possibly-vulnerable acl)? It occurs to me that the users most likely to be affected by this (default settings, haven't reviewed acls) are also the least likely to read apt-listchanges...