forwarded 445582 [EMAIL PROTECTED] thanks FYI:
On Sun, Oct 07, 2007 at 03:54:43AM +0000, Don Armstrong wrote:
> Package: ldapscripts
> Severity: serious
> Version: 1.4-2
> Tag: security
>
> Unless you're running grsecurity or some other patched kernel, the
> following cannot be good:
>
> _changepassword () {
> if [ -z "$1" ] || [ -z "$2" ]
> then
> end_die "_changepassword : missing argument(s)"
> else
> if is_yes "$RECORDPASSWORDS"
> then
> echo "$2 : $1" >> "$PASSWORDFILE"
> fi
> $LDAPPASSWDBIN -w "$BINDPWD" -D "$BINDDN" -xH "ldap://$SERVER"; -s "$1"
> "$2" 2>>"$LOGFILE" 1>/dev/null
> fi
> }
The issue may appear in other places in your code (there is e.g. some
unsafe seds calls). Though I must say I don't really know how to fix
this minimally.
--
·O· Pierre Habouzit
··O [EMAIL PROTECTED]
OOO http://www.madism.org
pgpc4luN66Tbl.pgp
Description: PGP signature
