[Python-modules-team] Bug#823488: Bug#823488: python-ldap3: connection switch silently to anonymous bind if password is empty, failing auth

Brian May bam at debian.org
Sat May 7 07:15:46 UTC 2016


Simone Piccardi <piccardi at truelite.it> writes:

> When creating a connection with the Connection object the code defaults to 
> AUTH_ANONYMOUS (doing so an anonymus bind) also when _only_ the password
> is empty (not, as said by documentation, when both user and password are 
> empty).

Hello,

You appear to be reporting this bug against the version in
Jessie. However the version in unstable is fixed. See
https://github.com/cannatag/ldap3/issues/174

As a result, I don't think there is anything I can do with this
report. You could try talking to the security team, however I don't
think this would qualify as a security issue requiring a security
fix. It might also qualify for an update as a point release.

I would be nervous about changing the behaviour of a function in a
stable release, and the potential of this change to break other
applications that could potentially be relying on this (broken)
behaviour.

Regards
-- 
Brian May <bam at debian.org>



More information about the Python-modules-team mailing list