Hi
> > I would suggest using mktemp instead, which creates unique temporary
> > filenames, which cannot be guessed.
>
> what would be the point ? $TMPDIR is 0700.
Bah, I overlooked the umask call. Thanks for the pointer.
Cheers
Steffen
signature.asc
Description: This is a digitally signed mes
On Sun, Oct 21, 2007 at 08:16:49AM +, Steffen Joeris wrote:
> Hi
>
> Today, I had a look at the new upstream version 1.7.1, in order to fix
> unstable and testing. Thew new upstream version uses a function called
> mktempf () . There you generate the tempfile. However, you do not use
> the
Hi
Today, I had a look at the new upstream version 1.7.1, in order to fix
unstable and testing. Thew new upstream version uses a function called
mktempf () . There you generate the tempfile. However, you do not use
the "mktemp" program. I did not try it so far, but I think that it is
possible
On Sat, 13 Oct 2007 13:37:25 +0200 (CEST), Ganael LAPLANCHE wrote
> On Thu, 11 Oct 2007 08:32:52 +0200 (CEST), Ganael LAPLANCHE wrote
>
> Hi everybody,
>
> ldapscripts v1.7.1 are now available and fix these issues.
Woops, sorry I forgot to tell where the update is available :
http://contribs.ma
On Thu, 11 Oct 2007 08:32:52 +0200 (CEST), Ganael LAPLANCHE wrote
Hi everybody,
ldapscripts v1.7.1 are now available and fix these issues.
Here is the CHANGELOG :
2007/10/13 : ldapscripts 1.7.1
- Fixes for CVE-2007-5373
see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-20
On Wed, 10 Oct 2007 20:55:04 +0200, Pierre Habouzit wrote
> If the server crash, then it will be rebooted, and /tmp is cleansed
> at boot time, so no worries here.
Well, it depends on your system and how it is configured... But I agree, such a
situation (crash /while/ using the script + /tmp not
On Wed, Oct 10, 2007 at 06:03:02PM +, Ganael LAPLANCHE wrote:
> On Mon, 08 Oct 2007 20:02:42 +0200, Pierre Habouzit wrote
>
> > IMHO the best fix is to have in your "runtime" file sth like:
> > [...]
>
> Hi again Pierre,
>
> I am still working on patching the scripts. This will lead to a 'se
On Mon, 08 Oct 2007 20:02:42 +0200, Pierre Habouzit wrote
> IMHO the best fix is to have in your "runtime" file sth like:
> [...]
Hi again Pierre,
I am still working on patching the scripts. This will lead to a 'security
release' named 1.7.1, quite soon (I hope).
Binding is Ok, I will use a fil
On Mon, 08 Oct 2007 18:04:49 +0200, Pierre Habouzit wrote
> The issue is that when the commands are run, the arguments can be
> seen in clear text in `ps aux` output.
>
> So not only that script has the issue, the parts where you sed -e
> "s//$PASSWORD/g" are vulnerable too.
Hi again Pierre,
On Mon, Oct 08, 2007 at 05:52:29PM +, Ganael LAPLANCHE wrote:
> On Mon, 08 Oct 2007 18:04:49 +0200, Pierre Habouzit wrote
> > The issue is that when the commands are run, the arguments can be
> > seen in clear text in `ps aux` output.
> >
> > So not only that script has the issue, the par
On Mon, Oct 08, 2007 at 02:57:42PM +, Ganael LAPLANCHE wrote:
> On Mon, 08 Oct 2007 14:10:21 +0200, Pierre Habouzit wrote
>
> Hi Pierre,
>
> > > Unless you're running grsecurity or some other patched kernel, the
> > > following cannot be good:
> > >
> > > $LDAPPASSWDBIN -w "$BINDPWD" -D
On Mon, Oct 08, 2007 at 12:33:06PM +, Stefan Cornelius wrote:
> Hi,
>
> > The issue may appear in other places in your code (there is e.g. some
> > unsafe seds calls). Though I must say I don't really know how to fix
> > this minimally.
>
> my non-debian man page says:
> -y passwdfile
> Use
Oops, disregard my previous message. Seems like I was a bit trigger happy
and mixed it up with the -T parameter?
-T newPasswdFile
Set the new password to the contents of newPasswdFile.
I managed to confuse myself right
now and I'm not even sure if any of these params are OK at all. So better
don
Hi,
> The issue may appear in other places in your code (there is e.g. some
> unsafe seds calls). Though I must say I don't really know how to fix
> this minimally.
my non-debian man page says:
-y passwdfile
Use complete contents of passwdfile as the password for simple
authentication.
That and
forwarded 445582 [EMAIL PROTECTED]
thanks
FYI:
On Sun, Oct 07, 2007 at 03:54:43AM +, Don Armstrong wrote:
> Package: ldapscripts
> Severity: serious
> Version: 1.4-2
> Tag: security
>
> Unless you're running grsecurity or some other patched kernel, the
> following cannot be good:
>
> _chang
Package: ldapscripts
Severity: serious
Version: 1.4-2
Tag: security
Unless you're running grsecurity or some other patched kernel, the
following cannot be good:
_changepassword () {
if [ -z "$1" ] || [ -z "$2" ]
then
end_die "_changepassword : missing argument(s)"
else
if is_yes "$R
16 matches
Mail list logo
