[pkg-go] Bug#876404: Pending fixes for bugs in the golang-github-go-ldap-ldap package
pkg-go-maintainers at lists.alioth.debian.org
pkg-go-maintainers at lists.alioth.debian.org
Sun Dec 3 19:06:05 UTC 2017
tag 876404 + pending
thanks
Some bugs in the golang-github-go-ldap-ldap package are closed in
revision e357b3fd4067f7b070a2031bdf9d3ae91ca00278 in branch '
stretch' by Dr. Tobias Quathamer
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-go/packages/golang-github-go-ldap-ldap.git/commit/?id=e357b3f
Commit message:
Require explicit intention for empty password.
This is normally used for unauthenticated bind, and
https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends:
> Clients SHOULD disallow an empty password input to a Name/Password
> Authentication user interface
This is (mostly) a cherry-pick of 95ede12 from upstream. I've removed
the bit in ldap_test.go, which is unrelated to the security issue.
This fixes CVE-2017-14623.
https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66
Closes: #876404
More information about the Pkg-go-maintainers
mailing list