Your message dated Thu, 2 May 2019 19:37:54 +0200
with message-id <[email protected]>
and subject line Re: matrix-synapse-ldap3: users can impersonate any other users
has caused the Debian Bug report #928354,
regarding matrix-synapse-ldap3: users can impersonate any other users
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
928354: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928354
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: src:matrix-synapse-ldap3
Severity: important
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Due to a bug, it is possible to log in as any user without proper
authentication:
> It turns out the bug was related to a change that was made in the
> unreleased “master” branch of the matrix-appservice-ldap3 plugin being
> used by Librem Chat to authenticate users over LDAP. The bug ultimately
> came down to a mistake in a single line of code in a function related
> to LDAP searches:
>
> - result = yield self._ldap_simple_bind(
> + result, _ = yield self._ldap_simple_bind(
[1]: https://twitter.com/matrixdotorg/status/1123298776725303299
[2]:
https://puri.sm/posts/underscoring-our-transparency-first-librem-one-bug-report/
-----BEGIN PGP SIGNATURE-----
iQJTBAEBCAA9FiEE47V74F4CWMP6ghzXtke0/0DsYwMFAlzLKJUfHGFuZHJldy5z
aGFkdXJhQGNvbGxhYm9yYS5jby51awAKCRC2R7T/QOxjAwScD/9BQ85xiRRhU8I3
q3wssfABOsV+Oc+LK+UESMNZZglYO5zfQTbzKNEk4gFD8FjR0JJ36QOd4wVNCHRZ
14I4HmdwuFcHTsFwU6NVOfl3Iz2j449t98Yuo61OcoxYhQC1ZLR7hxHSDn7QNKWc
412uug+CH15ieOQwcDbu37U6KJK2h54yHiu3Ty06GAUi9DNlWNTu9x6A1LFNkLNQ
d6C/wjhCVIQAdrNU28l24BG1meeXHnh0NKRwOR/tweMWESDwh8lCJC73t3OtVulD
5NxDvTVS+OkwTlj6fDgIzb0IjV/PVxi6K2RxU7V3bXpDu7DdEqTOAEf3d8rXPf9J
Xuu9lXqnNOdRmCETtzegfShfe9sv3Ad2XSRtm3HyOs1ygvA0nv/xIgAEmpicTIbp
6VxvIb+WOMlF0Ci+i2RWwJtv2e15obYNXQSZdjGHeYcGUQb/eVRIizDjhC/iB3DE
x4j2Cu2Frltq6Iube1GsDpBQEDNVyllG2nxJmLG6zU4LTz2RWj9Su2SZbPSuECmR
hX3wZAbkIfGCSUAIw8bDQInJg7ortpFqbBoI3YEqzNpxyhwaqdvqDw5VQtPn0W0J
hjjvSsJ5y1PhswfozywhCg/cL8BS2zyfGb6IXcyMQTl3Z3l52yWRtoS4A/2BLGmV
+335m1DEHEBTKHV5ETq4i3PrQ5a3ig==
=2uCt
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
On 02/05/2019 19:27, Andrej Shadura wrote:
> Package: src:matrix-synapse-ldap3
> Severity: important
>
> Due to a bug, it is possible to log in as any user without proper
> authentication:
>
>> It turns out the bug was related to a change that was made in the
>> unreleased “master” branch of the matrix-appservice-ldap3 plugin being
>> used by Librem Chat to authenticate users over LDAP. The bug ultimately
>> came down to a mistake in a single line of code in a function related
>> to LDAP searches:
>
>> - result = yield self._ldap_simple_bind(
>> + result, _ = yield self._ldap_simple_bind(
>
> [1]: https://twitter.com/matrixdotorg/status/1123298776725303299
> [2]:
> https://puri.sm/posts/underscoring-our-transparency-first-librem-one-bug-report/
Since the Debian package ships patches from
https://github.com/matrix-org/matrix-synapse-ldap3/pull/46, this is not
relevant for the version Debian currently ships.
--
Cheers,
Andrej
signature.asc
Description: OpenPGP digital signature
--- End Message ---
