On Thu, 27 Oct 2005 23:36:49 +0200 David Härdeman <[EMAIL PROTECTED]> wrote:
> On Thu, Oct 27, 2005 at 11:27:04PM +0200, Stefan Hornburg wrote: > >On Thu, 27 Oct 2005 23:11:52 +0200 David Härdeman <[EMAIL PROTECTED]> wrote: > >> I hope that a fixed version can be included in sarge as soon as possible > >> since this could potentially be a security issue (e.g. if the account > >> has been disabled, access would still be granted). > > > >Please contact the security team about this matter. > > Yep, I cc:ed them in the mail so I'll wait and see what they decide. FYI: I found a message from upstream author Sam Varshavchik about the reason why he disabled this call in the courier-imap mailing list: --snip-- Aman Gupta writes: > I am trying to figure out why the pam_acct_mgmt() function call was > commented out 4 years ago in this cvs update: > http://cvs.sourceforge.net/viewcvs.py/courier/libs/authlib/authpam.c?... It appears that the reason is memory leaks in PAM. > If possible, please uncomment this code so that pam account modules can > be used to control access based on time, date, group membership, etc. Can't you uncomment it yourself, and see what happens? --snap-- So I suppose it is safe to enable this call. Bye Racke -- LinuXia Systems => http://www.linuxia.de/ Expert Interchange Consulting and System Administration ICDEVGROUP => http://www.icdevgroup.org/ Interchange Development Team
