Bug 78776

Summary:	www-proxy/squid partial ldap username bypass
Product:	Gentoo Security	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	andrewbevitt
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces
Whiteboard:	B4 [glsa] jaervosz
Package list:		Runtime testing required:	---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-19 23:08:04 UTC

LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-19 23:09:57 UTC

Andrew please apply.

Comment 2 Andrew Bevitt 2005-01-21 03:43:15 UTC

Fixes in 2.5.7-r3 just in cvs now.

Patchset : 20050121

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-21 04:06:39 UTC

Thx Andrew.

Security please vote on GLSA for this one.

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-01-21 05:49:43 UTC

I would vote NO. Squid has suffered enough already, and it could be considered a simple bug.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-23 04:49:53 UTC

I vote for no GLSA as well. If another issue pops up we might include it.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-02 12:38:18 UTC

GLSA 200502-04