Package: libnss-pgsql2
Version: 1.4.0debian-2
Severity: important

Any local user can completely disable NSS resolution in DB by changing the
password to the database.

Unlike mysql, postgres does not allow create a user ("role") which has no 
possibility to change own password (so-called "anonymous user").

Thus, any local user can obtain password from /etc/nss-pgsql.conf, change it 
and access to the DB will be corrupted



-- System Information:
Debian Release: squeeze/sid
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'proposed-updates'), (500, 'unstable'), 
(500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-1-686 (SMP w/1 CPU core)
Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libnss-pgsql2 depends on:
ii  libc6                         2.9-25     GNU C Library: Shared libraries
ii  libpq5                        8.4.1-1    PostgreSQL C client library

libnss-pgsql2 recommends no packages.

Versions of packages libnss-pgsql2 suggests:
ii  libpam-pgsql                  0.6.3-2    PAM module to authenticate using a
ii  nscd                          2.9-25     GNU C Library: Name Service Cache 

-- debconf-show failed

Attachment: signature.asc
Description: PGP signature

Reply via email to