'Re: [oss-security] Portus, missing LDAP server authentication'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Portus, missing LDAP server authentication
From:       Marcus Meissner <meissner () suse ! de>
Date:       2017-12-18 6:28:32
Message-ID: 20171218062832.GB9249 () suse ! de
[Download RAW message or body]

Hi,

On Sun, Dec 17, 2017 at 02:36:42PM +0100, Raphael Geissert wrote:
> Hi,
> 
> Portus 2.2 and older provides LDAP integration for authenticating the
> users. However, in spite of it providing advice on configuring it to
> "to setup LDAP over SSL/TLS"[1], the implementation does not verify
> the server's identity at all.
> 
> I'm writing about it here mainly because there appears to be some
> intention of TLS support. Users might expect it to actually provide
> some kind of security.
> 
> Interestingly enough, the documentation and the config file comments
> say  'the recommended [method] is "starttls".'[2] I don't know where
> they got that from.
> 
> CC'ing SUSE's security team.
> 
> I have not yet reported it to the portus team directly, nor requested
> a CVE id (though I'm tempted to request one, to err on the side of
> safety).
> 
> 
> [1]http://port.us.org/docs/Configuring-Portus.html
> [2]https://github.com/SUSE/Portus/blob/master/config/config.yml#L49
> 
> Cheers,

I have opened
https://bugzilla.suse.com/show_bug.cgi?id=1073232
for this issue.

Ciao, Marcus
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic