On Wed, 05 Nov 2014, Simo Sorce wrote:
On Wed, 5 Nov 2014 22:22:16 +0200
Alexander Bokovoy <aboko...@redhat.com> wrote:

On Wed, 05 Nov 2014, Nathaniel McCallum wrote:
>Before this patch users could log in using only the OTP value. This
>arose because ipapwd_authentication() successfully determined that
>an empty password was invalid, but 389 itself would see this as an
>anonymous bind. An anonymous bind would never even get this far in
>this code, so we simply deny requests with empty passwords.
>
>This patch resolves CVE-2014-7828.
>
>https://fedorahosted.org/freeipa/ticket/4690
ACK.

Code sounds good, but I haven't tested it.

We need to do release for 4.0 and 4.1 first thing tomorrow.

Yes.

A possible workaround is to disable 2FA for users in mean time.

We should send a warning to freeipa-users mailing list that we are
preparing a release and they should consider disabling 2FA ion the
meanwhile if they are using it.
Done.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to