Debian Bug report logs -
#876404
golang-github-go-ldap-ldap: CVE-2017-14623
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 21 Sep 2017 19:15:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version golang-github-go-ldap-ldap/2.4.1-1
Fixed in versions golang-github-go-ldap-ldap/2.5.1-1, golang-github-go-ldap-ldap/2.4.1-1+deb9u1
Done: toddy@debian.org (Dr. Tobias Quathamer)
Bug is archived. No further changes may be made.
Forwarded to https://github.com/go-ldap/ldap/pull/126
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, pkg-go <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#876404; Package src:golang-github-go-ldap-ldap.
(Thu, 21 Sep 2017 19:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, pkg-go <pkg-go-maintainers@lists.alioth.debian.org>.
(Thu, 21 Sep 2017 19:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: golang-github-go-ldap-ldap
Version: 2.4.1-1
Severity: important
Tags: patch upstream security
Forwarded: https://github.com/go-ldap/ldap/pull/126
Hi,
the following vulnerability was published for golang-github-go-ldap-ldap.
CVE-2017-14623[0]:
| In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker
| may be able to login with an empty password. This issue affects an
| application using this package if these conditions are met: (1) it
| relies only on the return error of the Bind function call to determine
| whether a user is authorized (i.e., a nil return value is interpreted
| as successful authorization) and (2) it is used with an LDAP server
| allowing unauthenticated bind.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14623
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14623
[1] https://github.com/go-ldap/ldap/pull/126
[2] https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 28 Sep 2017 17:33:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, pkg-go <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#876404; Package src:golang-github-go-ldap-ldap.
(Wed, 29 Nov 2017 13:18:03 GMT) (full text, mbox, link).
Message #10 received at 876404@bugs.debian.org (full text, mbox, reply):
tag 876404 + pending
thanks
Some bugs in the golang-github-go-ldap-ldap package are closed in
revision 43d426ab9cbd78d68f72cfb0b57b2188d59649a3 in branch 'master'
by Dr. Tobias Quathamer
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-go/packages/golang-github-go-ldap-ldap.git/commit/?id=43d426a
Commit message:
Require explicit intention for empty password.
This is normally used for unauthenticated bind, and
https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends:
> Clients SHOULD disallow an empty password input to a Name/Password
> Authentication user interface
This is a cherry-pick of 95ede12 from upstream, which fixes CVE-2017-14623.
https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66
Closes: #876404
Added tag(s) pending.
Request was from pkg-go-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Wed, 29 Nov 2017 13:18:04 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#876404.
(Wed, 29 Nov 2017 13:18:06 GMT) (full text, mbox, link).
Reply sent
to toddy@debian.org (Dr. Tobias Quathamer):
You have taken responsibility.
(Wed, 29 Nov 2017 13:36:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 29 Nov 2017 13:36:06 GMT) (full text, mbox, link).
Message #20 received at 876404-close@bugs.debian.org (full text, mbox, reply):
Source: golang-github-go-ldap-ldap
Source-Version: 2.5.1-1
We believe that the bug you reported is fixed in the latest version of
golang-github-go-ldap-ldap, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 876404@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <toddy@debian.org> (supplier of updated golang-github-go-ldap-ldap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 29 Nov 2017 14:09:11 +0100
Source: golang-github-go-ldap-ldap
Binary: golang-github-go-ldap-ldap-dev
Architecture: source
Version: 2.5.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Description:
golang-github-go-ldap-ldap-dev - Basic LDAP v3 functionality for the Go programming language
Closes: 876404
Changes:
golang-github-go-ldap-ldap (2.5.1-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 2.5.1
- New patch: Require explicit intention for empty password.
This is a cherry-pick of 95ede12 from upstream, which fixes
CVE-2017-14623. (Closes: #876404)
* Use debhelper v10
* Update team name
* Update to Standards-Version 4.1.1
- Use HTTPS URL for d/copyright
- Use Priority: optional
* Use golang-any instead of golang-go
* Update d/copyright
* Use wrap-and-sort for d/control
Checksums-Sha1:
620e36fa53bd2cdaa8e305cb7956d999c06b0894 2248 golang-github-go-ldap-ldap_2.5.1-1.dsc
9138c2d8abec31288e3a56b368f91dfb01628ae6 30968 golang-github-go-ldap-ldap_2.5.1.orig.tar.xz
fa0fa7b66ee7dd2976eb86088fa662cdfb74ef55 5480 golang-github-go-ldap-ldap_2.5.1-1.debian.tar.xz
1f401c24d3598aeff92775e43b36fc9bab500ca0 5607 golang-github-go-ldap-ldap_2.5.1-1_amd64.buildinfo
Checksums-Sha256:
321651970608023b0f50f51ee02b9f30335c0ba60fbb3b38e82c44a698791965 2248 golang-github-go-ldap-ldap_2.5.1-1.dsc
0d0ed93954ba9e36984064071c7dc4c1b6d807d834c7e7ef895f9cf8eeb83a30 30968 golang-github-go-ldap-ldap_2.5.1.orig.tar.xz
026512aae35bbd716a3612dc86094fa32896eca604fef1c861da5eefb94c1c62 5480 golang-github-go-ldap-ldap_2.5.1-1.debian.tar.xz
98c2b6e3eb4de176653805f397354b4da497af16756d80ceb4bff41adadb6974 5607 golang-github-go-ldap-ldap_2.5.1-1_amd64.buildinfo
Files:
d82f46c01c5042fc438c894e5ebd3ffe 2248 devel optional golang-github-go-ldap-ldap_2.5.1-1.dsc
e3bbd3a731ec3c96e174b5aee76d101a 30968 devel optional golang-github-go-ldap-ldap_2.5.1.orig.tar.xz
ebc50b664507b27d8d1a83a734300c05 5480 devel optional golang-github-go-ldap-ldap_2.5.1-1.debian.tar.xz
b34785bd65395843a31cb02697f389e0 5607 devel optional golang-github-go-ldap-ldap_2.5.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAloesqoACgkQEwLx8Dbr
6xllgA/+L9jQij1BO4C7jmCLROkjkIx9W9fJxddOeGSoQLqdtdtEqcEuJRqGuCg0
bqJLtQBPFk68JDHSOoc9FGfayUT2i3ywYLQ6KUDyC+u75Awl/4QdnJlbODImf6Ce
0jZXxIpDxEgJ0WQ4hY8HPyDIyb8yGP2bvcic/VzljeXjlZMtlivj3G/hISsKYQn5
6EXV4iI37dikWaRZDUgBMa/xgJn4ycCxl/MksxDoshGmEtgjrHCwZsO+J+7Lk6ed
bconzqVzuaezlmUAOblSA8Awd4u21oLE0HOSKA6i6C/nMseVayB0nW6wHF+ytBMb
QEmUulM+BxpJhjdWCWRZyTUH6YkRlIwTZfHelMhpzaRRmtg05l8wFubmb+/LXDSK
1nilgHYSWeZdM9hzgmNz2JiSHVwfuF87PFUOP9dnJ3YimfsUgLpbVVUbp6SwhRay
PBW31dJA3Mhu+Bvm3v/w3RZGNqu1JGePFcRJ+PLeK22Q3a07vgslq/5amldhm3P+
eyEc72MUTgwLUQWgpCRq64dJb5kRlbQKFbx4cminJf5SmbtcNxOtSi+DtoT1Cvqv
4iz2ZeVeecCIWPzWchrKk+ytpNw4UbA8Rp2ub09eKrr6A0bV69GcSXKj06dVWBf+
bAwJsjmMu/41hS3AsJs1+jSaXvlFpPYp53jilQUYUjS+Vnrp1JM=
=GoOa
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#876404; Package src:golang-github-go-ldap-ldap.
(Sun, 03 Dec 2017 19:09:03 GMT) (full text, mbox, link).
Message #23 received at 876404@bugs.debian.org (full text, mbox, reply):
tag 876404 + pending
thanks
Some bugs in the golang-github-go-ldap-ldap package are closed in
revision e357b3fd4067f7b070a2031bdf9d3ae91ca00278 in branch '
stretch' by Dr. Tobias Quathamer
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-go/packages/golang-github-go-ldap-ldap.git/commit/?id=e357b3f
Commit message:
Require explicit intention for empty password.
This is normally used for unauthenticated bind, and
https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends:
> Clients SHOULD disallow an empty password input to a Name/Password
> Authentication user interface
This is (mostly) a cherry-pick of 95ede12 from upstream. I've removed
the bit in ldap_test.go, which is unrelated to the security issue.
This fixes CVE-2017-14623.
https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66
Closes: #876404
Added tag(s) pending.
Request was from pkg-go-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Sun, 03 Dec 2017 19:09:06 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#876404.
(Sun, 03 Dec 2017 19:09:10 GMT) (full text, mbox, link).
Reply sent
to toddy@debian.org (Dr. Tobias Quathamer):
You have taken responsibility.
(Sat, 09 Dec 2017 14:39:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 09 Dec 2017 14:39:07 GMT) (full text, mbox, link).
Message #33 received at 876404-close@bugs.debian.org (full text, mbox, reply):
Source: golang-github-go-ldap-ldap
Source-Version: 2.4.1-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
golang-github-go-ldap-ldap, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 876404@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <toddy@debian.org> (supplier of updated golang-github-go-ldap-ldap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 29 Nov 2017 23:45:26 +0100
Source: golang-github-go-ldap-ldap
Binary: golang-github-go-ldap-ldap-dev
Architecture: source all
Version: 2.4.1-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: pkg-go <pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Description:
golang-github-go-ldap-ldap-dev - Basic LDAP v3 functionality for the Go programming language
Closes: 876404
Changes:
golang-github-go-ldap-ldap (2.4.1-1+deb9u1) stretch; urgency=medium
.
* Team upload.
* Require explicit intention for empty password.
This is normally used for unauthenticated bind, and
https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends:
"Clients SHOULD disallow an empty password input to a Name/Password
Authentication user interface"
This is (mostly) a cherry-pick of 95ede12 from upstream, except
the bit in ldap_test.go, which is unrelated to the security issue.
This fixes CVE-2017-14623. (Closes: #876404)
Checksums-Sha1:
ea84eca5b7aa9fee4f9bb3e1a95158d9f2c56b52 2223 golang-github-go-ldap-ldap_2.4.1-1+deb9u1.dsc
fff71768d88342f57aabf4d33102950b1755b04b 33674 golang-github-go-ldap-ldap_2.4.1.orig.tar.gz
e67aff5db4ddaf4535e747bec504a196a819c3ab 4620 golang-github-go-ldap-ldap_2.4.1-1+deb9u1.debian.tar.xz
71b9526f76fad2fefafaa508d8c41a99b76b641e 30570 golang-github-go-ldap-ldap-dev_2.4.1-1+deb9u1_all.deb
e0a332f868ab66f53c947776f76edfe29eceb78e 5883 golang-github-go-ldap-ldap_2.4.1-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
ef955905738d97ee3e80273012e2646dbbc919f14b1eeb4f8c7d4ca5b9ab0ac5 2223 golang-github-go-ldap-ldap_2.4.1-1+deb9u1.dsc
958d8cd684b0578ca16289bcbdcfa25018e7af4c08eb7adc99a5f5a541b29c29 33674 golang-github-go-ldap-ldap_2.4.1.orig.tar.gz
5ed5655409eddf8b0f9df20689cf67a4fdaeee410955721f59cadd498932f118 4620 golang-github-go-ldap-ldap_2.4.1-1+deb9u1.debian.tar.xz
1bb686072f3b8186c2b917b789f33f59bb2e98c80f551bebbcf5ddc84267435d 30570 golang-github-go-ldap-ldap-dev_2.4.1-1+deb9u1_all.deb
74c44af6ac520976917793b2d08fb7b49cf226d8510ddae3e5370fd923aa681c 5883 golang-github-go-ldap-ldap_2.4.1-1+deb9u1_amd64.buildinfo
Files:
416725ba71351016c4827c8493c0a326 2223 devel extra golang-github-go-ldap-ldap_2.4.1-1+deb9u1.dsc
9b92afe3a5658d017c68ade126fdf68e 33674 devel extra golang-github-go-ldap-ldap_2.4.1.orig.tar.gz
0426918d62c841a260b4708ddf1c7b66 4620 devel extra golang-github-go-ldap-ldap_2.4.1-1+deb9u1.debian.tar.xz
d9cc19be2c741be84a8a3cc52b7491fb 30570 devel extra golang-github-go-ldap-ldap-dev_2.4.1-1+deb9u1_all.deb
f7eadcf8bae23929f7260d80bb49c431 5883 devel extra golang-github-go-ldap-ldap_2.4.1-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAlokSooACgkQEwLx8Dbr
6xm1eQ/+K3IzgqAD65X9G9eFfLdG74ogI3Ey7eifjZJVgp1CyRyje1CeYjufVXu6
AasK8FGddR4KV4t0bWE35/jmlfnCzPYdrR5GYB4Q84l+XIkngt6GNCQcSpHACvzU
Wo9hz6BGGf9en/M+tJgwQdvS2M+ixIhVM3efkQmLk61EySa+a9eFtrso0hGLcDnm
PLSZVGIMo4rqPhOv+7tIrKXdjiOyPR4KxqJvzjH69WCkhwhKRmhG7jSAd15Rkgv/
v/SVbMSXqZrhrCuAvsGETu/c78ibWs3FbqsBPVx2bON8vo+GhnSf4alBk9CxY6gG
bqiHLi1827ddzfWVJCN3V4XUKkmLLFizZGvHJmEP7/CSTRLmn0v5Jn+Uvn6pMrpc
71+f5hWOvfh0RiToD/B+0c32RINhrli7X1Q3Uv2Kh6BXfZk+nP1UBLW3l3zuMKa1
z4GnKwC98qrxtL6/Kz4kYhvs8EszQ6uhGHHVFWGUHOlAyEJ9UqVxiKWNr17ZodWG
IDqnIlj4l6czzlbQHUnsBPx1Wx6Wr3gpEFbsN8EJ+0pXg+czyhaxZu8DFfH11HJM
2cb9qZkQlcMGQahT0c8gQFmjb8FzB/MSGgiKa2YLH+ORwMCSvpLqFcupCOSYZg7p
7OlTaEimjZzjamCTIAdOlUf2k/XcRidn9NHf/yz3XL77fKmcPZ8=
=8crU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Mar 2018 07:25:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:49:41 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon