[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Portus, missing LDAP server authentication
From: Marcus Meissner <meissner () suse ! de>
Date: 2017-12-18 6:28:32
Message-ID: 20171218062832.GB9249 () suse ! de
[Download RAW message or body]
Hi,
On Sun, Dec 17, 2017 at 02:36:42PM +0100, Raphael Geissert wrote:
> Hi,
>
> Portus 2.2 and older provides LDAP integration for authenticating the
> users. However, in spite of it providing advice on configuring it to
> "to setup LDAP over SSL/TLS"[1], the implementation does not verify
> the server's identity at all.
>
> I'm writing about it here mainly because there appears to be some
> intention of TLS support. Users might expect it to actually provide
> some kind of security.
>
> Interestingly enough, the documentation and the config file comments
> say 'the recommended [method] is "starttls".'[2] I don't know where
> they got that from.
>
> CC'ing SUSE's security team.
>
> I have not yet reported it to the portus team directly, nor requested
> a CVE id (though I'm tempted to request one, to err on the side of
> safety).
>
>
> [1]http://port.us.org/docs/Configuring-Portus.html
> [2]https://github.com/SUSE/Portus/blob/master/config/config.yml#L49
>
> Cheers,
I have opened
https://bugzilla.suse.com/show_bug.cgi?id=1073232
for this issue.
Ciao, Marcus
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic