Package: libnss-ldap
Severity: grave
Tags: security
thanks

Hi!

When using referred connections (i. e. nss-ldap talking to a slave
server which refers to a master server) and openldap is configured to
use TLS, then TLS is not used for the referred connection (slave ->
master). This means that passwords are sent in cleartext between slave
and master.

See

  http://bugzilla.padl.com/show_bug.cgi?id=211

for details and a patch. Sid's openldap2 and openldap2.2 packages
already have the required bug fix in the TLS authentication sanity
check (see #316674), just openldap2's changelog is misleading (it
doesn't actually enable the TLS for referred connections, it just
fixes the sanity check).

Please mention "CAN-2005-2069" in the changelog when you fix this.

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

Attachment: signature.asc
Description: Digital signature

Reply via email to