Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 18 Dec 2017 07:28:32 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Cc: security@...e.de
Subject: Re: Portus, missing LDAP server authentication

Hi,

On Sun, Dec 17, 2017 at 02:36:42PM +0100, Raphael Geissert wrote:
> Hi,
> 
> Portus 2.2 and older provides LDAP integration for authenticating the
> users. However, in spite of it providing advice on configuring it to
> "to setup LDAP over SSL/TLS"[1], the implementation does not verify
> the server's identity at all.
> 
> I'm writing about it here mainly because there appears to be some
> intention of TLS support. Users might expect it to actually provide
> some kind of security.
> 
> Interestingly enough, the documentation and the config file comments
> say  'the recommended [method] is "starttls".'[2] I don't know where
> they got that from.
> 
> CC'ing SUSE's security team.
> 
> I have not yet reported it to the portus team directly, nor requested
> a CVE id (though I'm tempted to request one, to err on the side of
> safety).
> 
> 
> [1]http://port.us.org/docs/Configuring-Portus.html
> [2]https://github.com/SUSE/Portus/blob/master/config/config.yml#L49
> 
> Cheers,

I have opened
https://bugzilla.suse.com/show_bug.cgi?id=1073232
for this issue.

Ciao, Marcus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ