Package: nslcd
Version: 0.9.4-3+deb8u2
Severity: grave
Tags: jessie
Justification: causes non-serious data loss

and DoS from an end user.

It appears that nslcd can be killed by the OOM Killer when some user
process takes all the memory. In such a case, it is no longer possible
to connect to the machine by SSH. Thus this is DoS by an end user,
with possible data loss concerning what is running on the machine.

Shouldn't the patch be backported?

  https://lists.arthurdejong.org/nss-pam-ldapd-users/2015/msg00036.html

(I know that there is a new Debian/stable version, but it is quite new,
so that there will be some time before the machines are upgraded to it.)

-- System Information:
Debian Release: 8.9
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/16 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nslcd depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56+deb8u1
ii  libc6                  2.19-18+deb8u10
ii  libgssapi-krb5-2       1.12.1+dfsg-19+deb8u2
ii  libldap-2.4-2          2.4.40+dfsg-1+deb8u3

Versions of packages nslcd recommends:
ii  bind9-host [host]           1:9.9.5.dfsg-9+deb8u13
ii  host                        1:9.9.5.dfsg-9+deb8u13
ii  ldap-utils                  2.4.40+dfsg-1+deb8u3
ii  libnss-ldapd [libnss-ldap]  0.9.4-3+deb8u2
ii  libpam-ldapd [libpam-ldap]  0.9.4-3+deb8u2
ii  nscd                        2.19-18+deb8u10
ii  nslcd-utils                 0.9.4-3+deb8u2

Versions of packages nslcd suggests:
pn  kstart  <none>

-- debconf-show failed

Reply via email to