Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 78776 - www-proxy/squid partial ldap username bypass
Summary: www-proxy/squid partial ldap username bypass
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.squid-cache.org/Versions/v...
Whiteboard: B4 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-19 23:08 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-02-02 12:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-19 23:08:04 UTC
LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-19 23:09:57 UTC
Andrew please apply.
Comment 2 Andrew Bevitt 2005-01-21 03:43:15 UTC
Fixes in 2.5.7-r3 just in cvs now.

Patchset : 20050121
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-21 04:06:39 UTC
Thx Andrew.

Security please vote on GLSA for this one.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-01-21 05:49:43 UTC
I would vote NO. Squid has suffered enough already, and it could be considered a simple bug.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-23 04:49:53 UTC
I vote for no GLSA as well. If another issue pops up we might include it.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-02 12:38:18 UTC
GLSA 200502-04