Simone Piccardi <picca...@truelite.it> writes: > When creating a connection with the Connection object the code defaults to > AUTH_ANONYMOUS (doing so an anonymus bind) also when _only_ the password > is empty (not, as said by documentation, when both user and password are > empty).
Hello, You appear to be reporting this bug against the version in Jessie. However the version in unstable is fixed. See https://github.com/cannatag/ldap3/issues/174 As a result, I don't think there is anything I can do with this report. You could try talking to the security team, however I don't think this would qualify as a security issue requiring a security fix. It might also qualify for an update as a point release. I would be nervous about changing the behaviour of a function in a stable release, and the potential of this change to break other applications that could potentially be relying on this (broken) behaviour. Regards -- Brian May <b...@debian.org>