Package: nslcd Version: 0.9.4-3+deb8u2 Severity: grave Tags: jessie Justification: causes non-serious data loss
and DoS from an end user. It appears that nslcd can be killed by the OOM Killer when some user process takes all the memory. In such a case, it is no longer possible to connect to the machine by SSH. Thus this is DoS by an end user, with possible data loss concerning what is running on the machine. Shouldn't the patch be backported? https://lists.arthurdejong.org/nss-pam-ldapd-users/2015/msg00036.html (I know that there is a new Debian/stable version, but it is quite new, so that there will be some time before the machines are upgraded to it.) -- System Information: Debian Release: 8.9 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/16 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages nslcd depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.56+deb8u1 ii libc6 2.19-18+deb8u10 ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2 ii libldap-2.4-2 2.4.40+dfsg-1+deb8u3 Versions of packages nslcd recommends: ii bind9-host [host] 1:9.9.5.dfsg-9+deb8u13 ii host 1:9.9.5.dfsg-9+deb8u13 ii ldap-utils 2.4.40+dfsg-1+deb8u3 ii libnss-ldapd [libnss-ldap] 0.9.4-3+deb8u2 ii libpam-ldapd [libpam-ldap] 0.9.4-3+deb8u2 ii nscd 2.19-18+deb8u10 ii nslcd-utils 0.9.4-3+deb8u2 Versions of packages nslcd suggests: pn kstart <none> -- debconf-show failed

