Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 18 Dec 2017 07:28:32 +0100
From: Marcus Meissner <>
Subject: Re: Portus, missing LDAP server authentication


On Sun, Dec 17, 2017 at 02:36:42PM +0100, Raphael Geissert wrote:
> Hi,
> Portus 2.2 and older provides LDAP integration for authenticating the
> users. However, in spite of it providing advice on configuring it to
> "to setup LDAP over SSL/TLS"[1], the implementation does not verify
> the server's identity at all.
> I'm writing about it here mainly because there appears to be some
> intention of TLS support. Users might expect it to actually provide
> some kind of security.
> Interestingly enough, the documentation and the config file comments
> say  'the recommended [method] is "starttls".'[2] I don't know where
> they got that from.
> CC'ing SUSE's security team.
> I have not yet reported it to the portus team directly, nor requested
> a CVE id (though I'm tempted to request one, to err on the side of
> safety).
> [1]
> [2]
> Cheers,

I have opened
for this issue.

Ciao, Marcus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ