- Prior to this update, the disconnect logic contained a misprint and a failure return value was missing. This update corrects the misprint and adds the missing return value.
- Prior to this update, the nslcd daemon performed the idle time expiration check for the LDAP connection before starting an LDAP search operation. On a lossy network or if the LDAP server was under a heavy load, the connection could time out after the successful check and the search operation then failed. With this update, the idle time expiration test is now performed during the LDAP search operation so that the connection now no longer expires under these circumstances.
- Prior to this update, when the nslcd daemon requested access to a large group, a buffer provided by the glibc library could not contain such a group and retried again with a larger buffer to process the operation successfully. As a consequence, redundant error messages were logged in the /var/log/message file. This update makes sure that even when glibc provides a buffer that is too small on first attempt in the described scenario, no redundant error messages are returned.
- An array index error, leading to a stack-based buffer overflow flaw, was found in the way nss-pam-ldapd managed open file descriptors. An attacker able to make a process have a large number of open file descriptors and perform name lookups could use this flaw to cause the process to crash or, potentially, execute arbitrary code with the privileges of the user running the process.