[Bug 423252] nss-ldap, SUID executables, gcrypt
Hi all, this bug has been brought to my attention by my boss today. If I understand the situation correctly, the problem is: • OpenLDAP links against GnuTLS (gnutls26) • gnutls26 links against gcrypt, which has the bug • gnutls28 links against nettle, but also gmp which is LGPLv3+ • OpenLDAP thus can’t link against gnutls28, as it has reverse dependencies that are not LGPLv3-/GPLv3-compatible • the package affected is libnss-ldap though For some reason, neither nscd nor unscd seem to be able to work around this bug, so it has become rather critical (e.g. for use in company networks). Why not do a readline and provide *two* versions of the OpenLDAP client libraries, keep libldap-2.4-2 linked against gnutls26 and add another shared library plus development package (with at least the two shared library packages coïnstallable) to link against gnutls28 and build these BOTH from the SAME source package at the SAME time, so an upload of OpenLDAP will not need another package to be (re-)built to stay in sync. Did anyone think of it already and will shoot this idea down immediately? Or could it work? bye, //mirabilos • t...@debian.org -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-314 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Elmar Geese -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 423252] nss-ldap, SUID executables, gcrypt
Thorsten Glaser 423...@bugs.launchpad.net writes: Why not do a readline and provide *two* versions of the OpenLDAP client libraries, keep libldap-2.4-2 linked against gnutls26 and add another shared library plus development package (with at least the two shared library packages coïnstallable) to link against gnutls28 and build these BOTH from the SAME source package at the SAME time, so an upload of OpenLDAP will not need another package to be (re-)built to stay in sync. Did anyone think of it already and will shoot this idea down immediately? Or could it work? I proposed this with openssl in Debian before (#579647), but it looks like it was merged with my original bug report in gcrypt later and then got lost. Regards, Ansgar -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 423252] nss-ldap, SUID executables, gcrypt
Thorsten Glaser 423...@bugs.launchpad.net writes: Why not do a readline and provide *two* versions of the OpenLDAP client libraries, keep libldap-2.4-2 linked against gnutls26 and add another shared library plus development package (with at least the two shared library packages coïnstallable) to link against gnutls28 and build these BOTH from the SAME source package at the SAME time, so an upload of OpenLDAP will not need another package to be (re-)built to stay in sync. Did anyone think of it already and will shoot this idea down immediately? Or could it work? I proposed this with openssl in Debian before (#579647), but it looks like it was merged with my original bug report in gcrypt later and then got lost. Regards, Ansgar -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs