Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 78776

Summary: www-proxy/squid partial ldap username bypass
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: andrewbevitt
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B4 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-19 23:08:04 UTC
LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-19 23:09:57 UTC
Andrew please apply.
Comment 2 Andrew Bevitt 2005-01-21 03:43:15 UTC
Fixes in 2.5.7-r3 just in cvs now.

Patchset : 20050121
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-21 04:06:39 UTC
Thx Andrew.

Security please vote on GLSA for this one.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-01-21 05:49:43 UTC
I would vote NO. Squid has suffered enough already, and it could be considered a simple bug.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-23 04:49:53 UTC
I vote for no GLSA as well. If another issue pops up we might include it.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-02 12:38:18 UTC
GLSA 200502-04