Subject: libapache2-mod-auth-kerb: Need ability to transfer credential in a variable Package: libapache2-mod-auth-kerb Version: 5.3-5 Severity: wishlist
Need ability to transfer credential in a variable rather than as a reference to a file in KRB5CCNAME. Currently a cgi-script containing an error allows an attacker to gather all credentials in the /tmp and use them. (Attacker can use credentials through script with same error, for example.) Transferring credentials into a script using variable is exclude ability to collect credintials from files. -- System Information: Debian Release: squeeze/sid APT prefers stable APT policy: (990, 'stable'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.30-1-686 (SMP w/1 CPU core) Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libapache2-mod-auth-kerb depends on: ii apache2.2-commo 2.2.14-1 Apache HTTP Server common files ii krb5-config 1.22 Configuration files for Kerberos V ii libc6 2.9-25 GNU C Library: Shared libraries ii libcomerr2 1.41.9-1 common error description library ii libkrb53 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries libapache2-mod-auth-kerb recommends no packages. libapache2-mod-auth-kerb suggests no packages. -- debconf-show failed
signature.asc
Description: PGP signature
