Date: Mon, 18 Dec 2017 07:28:32 +0100 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Cc: security@...e.de Subject: Re: Portus, missing LDAP server authentication Hi, On Sun, Dec 17, 2017 at 02:36:42PM +0100, Raphael Geissert wrote: > Hi, > > Portus 2.2 and older provides LDAP integration for authenticating the > users. However, in spite of it providing advice on configuring it to > "to setup LDAP over SSL/TLS", the implementation does not verify > the server's identity at all. > > I'm writing about it here mainly because there appears to be some > intention of TLS support. Users might expect it to actually provide > some kind of security. > > Interestingly enough, the documentation and the config file comments > say 'the recommended [method] is "starttls".' I don't know where > they got that from. > > CC'ing SUSE's security team. > > I have not yet reported it to the portus team directly, nor requested > a CVE id (though I'm tempted to request one, to err on the side of > safety). > > > http://port.us.org/docs/Configuring-Portus.html > https://github.com/SUSE/Portus/blob/master/config/config.yml#L49 > > Cheers, I have opened https://bugzilla.suse.com/show_bug.cgi?id=1073232 for this issue. Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ