[Python-modules-team] Bug#823488: Bug#823488: python-ldap3: connection switch silently to anonymous bind if password is empty, failing auth
Brian May
bam at debian.org
Sat May 7 07:15:46 UTC 2016
Simone Piccardi <piccardi at truelite.it> writes:
> When creating a connection with the Connection object the code defaults to
> AUTH_ANONYMOUS (doing so an anonymus bind) also when _only_ the password
> is empty (not, as said by documentation, when both user and password are
> empty).
Hello,
You appear to be reporting this bug against the version in
Jessie. However the version in unstable is fixed. See
https://github.com/cannatag/ldap3/issues/174
As a result, I don't think there is anything I can do with this
report. You could try talking to the security team, however I don't
think this would qualify as a security issue requiring a security
fix. It might also qualify for an update as a point release.
I would be nervous about changing the behaviour of a function in a
stable release, and the potential of this change to break other
applications that could potentially be relying on this (broken)
behaviour.
Regards
--
Brian May <bam at debian.org>
More information about the Python-modules-team
mailing list