Package: ldap-account-manager
Version: 1.0.2-1.1
Severity: critical
Tags: security
Hello,
If I save the users settings *without* going to the "Unix" settings page
no errors are produced, but the users password is changed:
"{crypt}*" --> "{crypt}"
"{crypt}!" --> "{crypt}"
"{crypt}!password" --> "{crypt}password"
As far as I can tell there are no security ramifications for the first
two situations, as the password is still invalid, but it very weird.
Unfortunately, it appears the last case will automatically unlock a
locked account even though I never told ldap-account-manager to do so.
--
Brian May <[EMAIL PROTECTED]>
Victorian Partnership for Advanced Computing
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
