ldapscripts -- programming error

2008-03-15T00:00:00
ID DSA-1517
Type debian
Reporter Debian
Modified 2008-03-15T00:00:00

Description

Don Armstrong discovered that ldapscripts, a suite of tools to manipulate user accounts in LDAP, sends the password as a command line argument when calling LDAP programs, which may allow a local attacker to read this password from the process listing.

The old stable distribution (sarge) does not contain an ldapscripts package.

For the stable distribution (etch), this problem has been fixed in version 1.4-2etch1.

For the unstable distribution (sid), this problem has been fixed in version 1.7.1-2.

We recommend that you upgrade your ldapscripts package.