Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 05 Jun 2014 16:01:00 +1000
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
CC: cve-assign@...re.org, carnil@...ian.org
Subject: Re: CVE Request: Horde_Ldap: Stricter parameter check
 in bind() to detect empty passwords

On 06/05/2014 05:51 AM, Salvatore Bonaccorso wrote:
> Hi,
>
> Horde_Ldap released an update fixing a security issue mentioned in the
> changes:
>
>> [jan] SECURITY: Stricter parameter check in bind() to detect empty
>> passwords.
>
> https://github.com/horde/horde/commit/8f719b53b0ee2d4b8a40a770430683c98fb5f2fd
>
> fixed in 2.0.6 with commit:
>
> https://github.com/horde/horde/commit/4c3e18f1724ab39bfef10c189a5b52036a744d55
>
> Could a CVE be assigned for this issue?
>
> Regards,
> Salvatore
>

Thanks for pointing this one out. FWIW, I discussed this issue with Kurt 
Seifried and we believe it would be hardening fix, not a CVE-named issue.

It seems this flaw could let you accidentally connect to an LDAP server 
without a password, but the flaw in this scenario is in the LDAP server, 
and this fix helps prevent you from doing that.

Some further explanations about this are available in 
http://securitysynapse.blogspot.ca/2013/09/dangers-of-ldap-null-base-and-bind.html

Cheers,

--
Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ