Debian Security Advisory

DSA-1287-1 ldap-account-manager -- multiple vulnerabilities

Date Reported:
07 May 2007
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 415379.
In Mitre's CVE dictionary: CVE-2006-7191, CVE-2007-1840.
More information:

Two vulnerabilities have been identified in the version of ldap-account-manager shipped with Debian 3.1 (sarge).

  • CVE-2006-7191

    An untrusted PATH vulnerability could allow a local attacker to execute arbitrary code with elevated privileges by providing a malicious rm executable and specifying a PATH environment variable referencing this executable.

  • CVE-2007-1840

    Improper escaping of HTML content could allow an attacker to execute a cross-site scripting attack (XSS) and execute arbitrary code in the victim's browser in the security context of the affected web site.

For the old stable distribution (sarge), this problem has been fixed in version 0.4.9-2sarge1. Newer versions of Debian (etch, lenny, and sid), are not affected.

We recommend that you upgrade your ldap-account-manager package.

Fixed in:

Debian GNU/Linux 3.1 (oldstable)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.