On Mon, Dec 18, 2006 at 10:45:12AM +0100, Frank Küster wrote: > Thomas Prokosch <[EMAIL PROTECTED]> wrote:
> > Package: xscreensaver > > Version: 4.24-5 > > Severity: grave > > Tags: security > > Justification: user security hole > Why have you set the severity of this bug to important? IMHO it should > be RC, because indeed for a large group of users (those with LCD flat > screens) the main purpose of a screensaver is the locking function. And > from the network address in the original bugreport > > xscreensaver: nss_ldap: failed to bind to LDAP server > > ldap://ldap.example.com: Can't contact LDAP server > it seems as if this does not only happen when actually LDAP is used for > user authentication, but either in all cases with remote authentication, > or even in all cases. No, a simple "strings" on /usr/bin/xscreensaver would tell you that this is specific to the user's configuration which does use nss_ldap. Moreover: - I am using this version of xscreensaver on my laptop, which occasionally is locked under circumstances when it doesn't have network access - I have recently had nss_ldap enabled on this same laptop for testing purposes related to other bugs, and have never seen the problem described in this report If the user's account is local, nss should be resolving it before ever touching LDAP. If it's remote, provisions should be in place to ensure the LDAP server's availability. Either way, I only see this security bug happening on a misconfigured system. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
