-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : libspring-ldap-java Version : 1.3.1.RELEASE-4+deb7u1 CVE ID : CVE-2017-8028
Tobias Schneider discovered that Spring-LDAP would allow authentication with an arbitrary password when the username is correct, no additional attributes are bound and when using LDAP BindAuthenticator with DefaultTlsDirContextAuthenticationStrategy as the authentication strategy and setting userSearch. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect. For Debian 7 "Wheezy", these problems have been fixed in version 1.3.1.RELEASE-4+deb7u1. We recommend that you upgrade your libspring-ldap-java packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAloRyzdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTxkxAArS0/0/aSVJwtVI2fJ3kOxcIkMv74HDlVH9FM0ZawiMwSMBNzFSS/ci5w PeWbHiLUWHg6/XXxNVXgtixRNlmtA+DOy6vVf7YfjxI49XAF3qWuqXZjIPFvzJ3Z 1RliyAqs6j3bWsavQ7FJkdy+3WgYTuA/k3FbP2kYYnn+jquudbWKhzm+aFnAzQRk NTYYfaeyXIHzb2SYGPncovdWee1a6GvcFLwnUzNyQtp7QBWqEGwSHskBR4ZSJhp6 EP+QFAA1yiq5fjXx4YrLiIQtk3B3vzdxwJLuy30r/YU8RpaAHz0goQVQKDrs/Ei8 JIz6PUtEcYhBMuF61O+3FZMKZDYsIuN05ES/UZOQwAa1fjKCkt0poyWC4SKCULG2 5RyLopjrxf/sp2mGg9zDukXdZFV5vO1c1WEkuggXlQRdoCToKlaMOIj5Ts+Q/Sj9 4keNTYBSGR7mIofDNLOf5rcL2FHY1XfrRoHlU/Z8Zu5gatjfp4Pf01R28tSn3JKv aqcFIL6UmsUfy8TP8T2p07+B+0KMfslO5/qZ7vPnODqrbZ7lh8fayivRyH//iH2a 2ntk/gBKhA3woHXRach3dnz0K8Z2UoyTxpud9xa0OqQO73SqyYOzMWNxMAwhzD5K UMzEfTemTpkqxXzQHOBFJs6HcWe5sUk/PGJqXt8ADyrhzCaGk3Q= =0qzu -----END PGP SIGNATURE-----
