[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-33900: Apache Directory Studio: StartTLS and SASL confidentiality protection
From:       Stefan Seelmann <seelmann () apache ! org>
Date:       2021-07-24 9:23:16
Message-ID: 7b9ad310-d697-ba48-be22-4d85b77a205a () apache ! org
[Download RAW message or body]

Severity: high

Description:

While investigating DIRSTUDIO-1219 it was noticed that configured
StartTLS encryption was not applied when any SASL authentication
mechanism (DIGEST-MD5, GSSAPI) was used. While investigating
DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality
layer was not applied. This issue affects Apache Directory Studio
version 2.0.0.v20210213-M16 and prior versions.

Mitigation:

This issue was fixed in 2.0.0.v20210717-M17. All users using SASL are
recommended to upgrade to Apache Directory Studio 2.0.0.v20210717-M17.

Credit:

Apache Directory would like to thank Hugh Cole-Baker for reporting this
issue.
[prev in list] [next in list] [prev in thread] [next in thread]