Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 05 Jun 2014 16:01:00 +1000
From: Murray McAllister <>
Subject: Re: CVE Request: Horde_Ldap: Stricter parameter check
 in bind() to detect empty passwords

On 06/05/2014 05:51 AM, Salvatore Bonaccorso wrote:
> Hi,
> Horde_Ldap released an update fixing a security issue mentioned in the
> changes:
>> [jan] SECURITY: Stricter parameter check in bind() to detect empty
>> passwords.
> fixed in 2.0.6 with commit:
> Could a CVE be assigned for this issue?
> Regards,
> Salvatore

Thanks for pointing this one out. FWIW, I discussed this issue with Kurt 
Seifried and we believe it would be hardening fix, not a CVE-named issue.

It seems this flaw could let you accidentally connect to an LDAP server 
without a password, but the flaw in this scenario is in the LDAP server, 
and this fix helps prevent you from doing that.

Some further explanations about this are available in


Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ