Date: Sun, 29 Mar 2015 02:24:23 -0400 (EDT) From: cve-assign@...re.org To: corsac@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, team@...urity.debian.org Subject: Re: CVE request (Debian specific): slapd: dangerous access rule in default config -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Debian bug #761406 was fixed in Debian sid some time ago, but no CVE was > assigned. In order to raise some exposure, and make sure admins > check/fix their config, we'll issue a DSA, so I'm requesting a CVE for > this. > > The problem is that by default LDAP users have write access to their own > attributes. If LDAP is used to grant permissions, and those permissions > are stored as user attributes (for example by using the ou), then an > user can modify its own permissions, which is usually not wanted. > > It's a Debian specific issue, > : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406 Use CVE-2014-9713 for this Debian specific issue. > but the OpenLDAP documentation  > actually recommends something like that. > : http://www.openldap.org/doc/admin24/guide.html#Basic%20ACLs We think there might be a need for a second CVE related to this upstream issue, because the recommendation is contained in a file bundled with the upstream software distribution, i.e., doc/guide/admin/access-control.sdf in the ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.40.tgz file. (Admittedly, CVEs for documentation are infrequent. CVE-2010-4179 is one example.) The essence of the issue is that it's easy for documentation readers to infer that the Basic ACLs section, as well as essentially all of the access-control.sdf file, is suggesting that "access to * by self write" (with no earlier write restrictions) is a typically correct or recommended design. It seems very unlikely that only Debian is facing a related security impact. On the other hand, if upstream believes that its existing documentation is completely reasonable, then having a CVE for it could be counterproductive. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVF5mJAAoJEKllVAevmvmsyjcH/RZ8v3D+WSZvt++b4PJTea5p sRXkRRnJizcak2idk+nEunQdlxutnNtSmZW6CvC/JI2CWUkY0jKbzPi9vpOqrZKg H6spjx9+WK3EixlUjm0CaOWeanjl0KAqItbkpYOPKAZofKSWUsCmDNjKHaI9/zJ2 WvPyhfxyEurPSUaf/u0tcZ3QNEo9Hmz4EVS2YmuFBFBFUgRHxzq1V1OhhT9+mFmP ZNFBdF/HOCSLC/c2M0mvvDWo1scRl41vTsNp/JO8X1lmG/OAcaDjYoYgfQcg2GiU GxGC5G95iOS77Mx/QBeZfGqBdeQpyiVU32s9shACr8fvLasvJ4I7/UGakyeq7qM= =/YQE -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ