Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 218154
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Matthias Geerdsen <vorlon@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 218154 depends on: Show dependency tree
Bug 218154 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-04-17 19:18 0000 
quoting from the bugreport:
"There is security hole in auth procedure. When used authldap module and on
LDAP server enabled anonymous login any user can login in any account
using as password empty string."
"Yes. This *only* affects AD, not openldap."

bug can be found on the mailing list archive:
http://www.mail-archive.com/dbmail-dev@dbmail.org/msg09942.html

find the used patch here:
http://git.dbmail.eu/?p=paul/dbmail;a=commitdiff;h=5a4458b9f4b1a1453e35a1c5674c2253b9d00138

------- Comment #1 From Matthias Geerdsen 2008-04-17 19:20:28 0000 ------- 
arches, please test net-mail/dbmail-2.2.9 and mark stable if possible

------- Comment #2 From Matthias Geerdsen 2008-04-17 19:28:19 0000 ------- 
just for completenes, the (locked down) bug that jer pointed out can be found
at http://dbmail.org/mantis/view.php?id=662

------- Comment #3 From Matthias Geerdsen 2008-04-17 21:33:52 0000 ------- 
CVE assigned:

Name: CVE-2007-6714

DBMail before 2.2.9, when using authldap with an LDAP server that
supports anonymous login such as Active Directory, allows remote
attackers to bypass authentication via an empty password, which causes
the LDAP bind to indicate success based on anonymous authentication.

------- Comment #4 From Markus Meier 2008-04-17 21:52:00 0000 ------- 
amd64/x86 stable, last arches.

------- Comment #5 From Robert Buchholz 2008-04-17 23:56:50 0000 ------- 
GLSA vote... I tend to use yes here since this might allow anyone to retrieve
anyone else's mail via pop3/imap.

------- Comment #6 From Matthias Geerdsen 2008-04-18 08:54:12 0000 ------- 
Although this could even be seen as C4, since it requires an Active Directory
to be checked against, I vote yes too.

request filed

------- Comment #7 From Matthias Geerdsen 2008-04-19 00:18:47 0000 ------- 
GLSA 200804-24

thanks everyone

------- Comment #8 From Peter Volkov 2008-04-21 08:19:26 0000 ------- 
Fixed in release snapshot.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug