Launchpad.net

CVE 2007-5373

ldapscripts 1.4 and 1.7 sends a password as a command line argument when calling some LDAP programs, which might allow local users to read the password by listing the process and its arguments, as demonstrated by a call to ldappasswd in the _changepassword function.

Related bugs and status

CVE-2007-5373 (Candidate) is related to these bugs:

Bug #203450: [ldapscripts] [CVE-2007-5373] information disclosure

		In	Importance	Status
203450	[ldapscripts] [CVE-2007-5373] information disclosure	ldapscripts (Ubuntu)	Undecided	Fix Released
203450	[ldapscripts] [CVE-2007-5373] information disclosure	ldapscripts (Debian)	Unknown	Fix Released
203450	[ldapscripts] [CVE-2007-5373] information disclosure	ldapscripts (Ubuntu Dapper)	Undecided	Won't Fix
203450	[ldapscripts] [CVE-2007-5373] information disclosure	ldapscripts (Ubuntu Edgy)	Undecided	Won't Fix
203450	[ldapscripts] [CVE-2007-5373] information disclosure	ldapscripts (Ubuntu Gutsy)	Undecided	Won't Fix
203450	[ldapscripts] [CVE-2007-5373] information disclosure	ldapscripts (Ubuntu Feisty)	Undecided	Won't Fix

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://bugs.debian.org...
SECUNIA: 27111
BID: 25982
DEBIAN: DSA-1517
SECUNIA: 29395
XF: ldapscripts-commandlin...