Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 29 Mar 2015 02:24:23 -0400 (EDT)
Subject: Re: CVE request (Debian specific): slapd: dangerous access rule in default config

Hash: SHA1

> Debian bug #761406 was fixed in Debian sid some time ago, but no CVE was
> assigned. In order to raise some exposure, and make sure admins
> check/fix their config, we'll issue a DSA, so I'm requesting a CVE for
> this.
> The problem is that by default LDAP users have write access to their own
> attributes. If LDAP is used to grant permissions, and those permissions
> are stored as user attributes (for example by using the ou), then an
> user can modify its own permissions, which is usually not wanted.
> It's a Debian specific issue,

> [1]:

Use CVE-2014-9713 for this Debian specific issue.

> but the OpenLDAP documentation [2]
> actually recommends something like that.

> [2]:

We think there might be a need for a second CVE related to this
upstream issue, because the recommendation is contained in a file
bundled with the upstream software distribution, i.e.,
doc/guide/admin/access-control.sdf in the

(Admittedly, CVEs for documentation are infrequent. CVE-2010-4179 is
one example.)

The essence of the issue is that it's easy for documentation readers
to infer that the Basic ACLs section, as well as essentially all of
the access-control.sdf file, is suggesting that "access to * by self
write" (with no earlier write restrictions) is a typically correct or
recommended design. It seems very unlikely that only Debian is facing
a related security impact.

On the other hand, if upstream believes that its existing
documentation is completely reasonable, then having a CVE for it could
be counterproductive.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.