Package: libnss-ldap Severity: grave Tags: security thanks Hi!
When using referred connections (i. e. nss-ldap talking to a slave server which refers to a master server) and openldap is configured to use TLS, then TLS is not used for the referred connection (slave -> master). This means that passwords are sent in cleartext between slave and master. See http://bugzilla.padl.com/show_bug.cgi?id=211 for details and a patch. Sid's openldap2 and openldap2.2 packages already have the required bug fix in the TLS authentication sanity check (see #316674), just openldap2's changelog is misleading (it doesn't actually enable the TLS for referred connections, it just fixes the sanity check). Please mention "CAN-2005-2069" in the changelog when you fix this. Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org
signature.asc
Description: Digital signature