Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 18 Sep 2015 10:58:56 +1000
From: David Black <dblack@...assian.com>
To: oss-security@...ts.openwall.com
Subject: CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection.

ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection
through the username parameter. This issue was reported at
https://github.com/vesse/node-ldapauth-fork/issues/21 and was fixed in
https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4
. ldapauth-fork version 2.3.3 includes the fix.

Can a CVE be assigned for this issue?

Note: the node-ldapauth project found at
https://github.com/trentm/node-ldapauth, which node-ldapauth-fork was
forked from, is still vulnerable to this issue. I notified the owner
of the node-ldapauth repository but have no heard back.

-- 
David Black / Security Engineer.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ