Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 28 Mar 2015 23:52:12 +0100
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Cc: team@...urity.debian.org
Subject: CVE request (Debian specific): slapd: dangerous access rule in
 default config

Hi,

Debian bug #761406 was fixed in Debian sid some time ago, but no CVE was
assigned. In order to raise some exposure, and make sure admins
check/fix their config, we'll issue a DSA, so I'm requesting a CVE for
this.

The problem is that by default LDAP users have write access to their own
attributes. If LDAP is used to grant permissions, and those permissions
are stored as user attributes (for example by using the ou), then an
user can modify its own permissions, which is usually not wanted.

It's a Debian specific issue, but the OpenLDAP documentation [2]
actually recommends something like that.

Thanks in advance,

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406
[2]: http://www.openldap.org/doc/admin24/guide.html#Basic ACLs
-- 
Yves-Alexis

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ