Debian Security Advisory

DLA-408-1 gosa -- LTS security update

Date Reported:
31 Jan 2016
Affected Packages:
gosa
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2015-8771.
More information:

GOsa is a combination of system-administrator and end-user web interface, designed to handle LDAP based setups.

GOsa upstream reported a code injection vulnerability in the Samba plugin code of GOsa. During Samba password changes it has been possible to inject malicious Perl code.

This upload to Debian Squeeze LTS fixes this issues. However, if you upgrade to this fixed package revision, please note that Samba password changes will stop working until the sambaHashHook parameter in gosa.conf has been updated to accept base64 encoded password strings from the PHP code of GOsa.

Please read /usr/share/doc/gosa/NEWS.gz and the gosa.conf (5) man page after you have upgraded to this package revision and adapt gosa.conf as described there.