Date: Thu, 05 Jun 2014 16:01:00 +1000 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com CC: cve-assign@...re.org, carnil@...ian.org Subject: Re: CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords On 06/05/2014 05:51 AM, Salvatore Bonaccorso wrote: > Hi, > > Horde_Ldap released an update fixing a security issue mentioned in the > changes: > >> [jan] SECURITY: Stricter parameter check in bind() to detect empty >> passwords. > > https://github.com/horde/horde/commit/8f719b53b0ee2d4b8a40a770430683c98fb5f2fd > > fixed in 2.0.6 with commit: > > https://github.com/horde/horde/commit/4c3e18f1724ab39bfef10c189a5b52036a744d55 > > Could a CVE be assigned for this issue? > > Regards, > Salvatore > Thanks for pointing this one out. FWIW, I discussed this issue with Kurt Seifried and we believe it would be hardening fix, not a CVE-named issue. It seems this flaw could let you accidentally connect to an LDAP server without a password, but the flaw in this scenario is in the LDAP server, and this fix helps prevent you from doing that. Some further explanations about this are available in http://securitysynapse.blogspot.ca/2013/09/dangers-of-ldap-null-base-and-bind.html Cheers, -- Murray McAllister / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ