oss-sec mailing list archives
Re: CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords
From: Murray McAllister <mmcallis () redhat com>
Date: Thu, 05 Jun 2014 16:01:00 +1000
On 06/05/2014 05:51 AM, Salvatore Bonaccorso wrote:
Hi, Horde_Ldap released an update fixing a security issue mentioned in the changes:[jan] SECURITY: Stricter parameter check in bind() to detect empty passwords.https://github.com/horde/horde/commit/8f719b53b0ee2d4b8a40a770430683c98fb5f2fd fixed in 2.0.6 with commit: https://github.com/horde/horde/commit/4c3e18f1724ab39bfef10c189a5b52036a744d55 Could a CVE be assigned for this issue? Regards, Salvatore
Thanks for pointing this one out. FWIW, I discussed this issue with Kurt Seifried and we believe it would be hardening fix, not a CVE-named issue.
It seems this flaw could let you accidentally connect to an LDAP server without a password, but the flaw in this scenario is in the LDAP server, and this fix helps prevent you from doing that.
Some further explanations about this are available in http://securitysynapse.blogspot.ca/2013/09/dangers-of-ldap-null-base-and-bind.html
Cheers, -- Murray McAllister / Red Hat Security Response Team
Current thread:
- CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords Salvatore Bonaccorso (Jun 04)
- Re: CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords Murray McAllister (Jun 04)
- Re: CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords Matthew Daley (Jun 09)
- Re: CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords cve-assign (Jun 13)
- Re: CVE Request: Horde_Ldap: Stricter parameter check in bind() to detect empty passwords Murray McAllister (Jun 04)