Matthew Daley reported the following flaw in ${URL}: Cherokee supports authenticating users via LDAP. It does not ensure that users provide a non-empty password when doing so. If the underlying LDAP server allows unauthenticated binds (see RFC 4513, section 5.1.2: <http://tools.ietf.org/html/rfc4513#section-5.1.2>), an unauthenticated bind will be performed and not the name/password-based authenticated bind that Cherokee is expecting. This success of this bind will cause Cherokee to authenticate the user. This allows an attacker to authenticate as a user for which they only know the username and not the password. Affected versions: current releases (<= 1.2.103) Upstream fix: https://github.com/cherokee/webserver/commit/fbda667221c51f0aa476a02366e0cf66cb012f88
CVE-2014-4668 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4668): The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password.
1.2.104 is in the tree and all vulnerable versions were removed. commit 15f426d9bcbb3ec26e6ceb2e544bd31a993036bd Author: Anthony G. Basile <blueness@gentoo.org> Date: Sun Oct 11 21:03:19 2015 -0400 www-servers/cherokee: remove older 1.2.103 version Package-Manager: portage-2.2.20.1
