Package: libnss-pgsql2 Version: 1.4.0debian-2 Severity: important Any local user can completely disable NSS resolution in DB by changing the password to the database.
Unlike mysql, postgres does not allow create a user ("role") which has no possibility to change own password (so-called "anonymous user"). Thus, any local user can obtain password from /etc/nss-pgsql.conf, change it and access to the DB will be corrupted -- System Information: Debian Release: squeeze/sid APT prefers stable APT policy: (990, 'stable'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.30-1-686 (SMP w/1 CPU core) Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libnss-pgsql2 depends on: ii libc6 2.9-25 GNU C Library: Shared libraries ii libpq5 8.4.1-1 PostgreSQL C client library libnss-pgsql2 recommends no packages. Versions of packages libnss-pgsql2 suggests: ii libpam-pgsql 0.6.3-2 PAM module to authenticate using a ii nscd 2.9-25 GNU C Library: Name Service Cache -- debconf-show failed
signature.asc
Description: PGP signature