Date: Fri, 18 Sep 2015 10:58:56 +1000 From: David Black <dblack@...assian.com> To: oss-security@...ts.openwall.com Subject: CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection. ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection through the username parameter. This issue was reported at https://github.com/vesse/node-ldapauth-fork/issues/21 and was fixed in https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4 . ldapauth-fork version 2.3.3 includes the fix. Can a CVE be assigned for this issue? Note: the node-ldapauth project found at https://github.com/trentm/node-ldapauth, which node-ldapauth-fork was forked from, is still vulnerable to this issue. I notified the owner of the node-ldapauth repository but have no heard back. -- David Black / Security Engineer.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ