Debian Security Advisory
DSA-1287-1 ldap-account-manager -- multiple vulnerabilities
- Date Reported:
- 07 May 2007
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 415379.
In Mitre's CVE dictionary: CVE-2006-7191, CVE-2007-1840.
- More information:
Two vulnerabilities have been identified in the version of ldap-account-manager shipped with Debian 3.1 (sarge).
An untrusted PATH vulnerability could allow a local attacker to execute arbitrary code with elevated privileges by providing a malicious rm executable and specifying a PATH environment variable referencing this executable.
Improper escaping of HTML content could allow an attacker to execute a cross-site scripting attack (XSS) and execute arbitrary code in the victim's browser in the security context of the affected web site.
For the old stable distribution (sarge), this problem has been fixed in version 0.4.9-2sarge1. Newer versions of Debian (etch, lenny, and sid), are not affected.
We recommend that you upgrade your ldap-account-manager package.
- Fixed in:
Debian GNU/Linux 3.1 (oldstable)
- Architecture-independent component:
MD5 checksums of the listed files are available in the original advisory.