On 5.11.2014 21:22, Alexander Bokovoy wrote:
On Wed, 05 Nov 2014, Nathaniel McCallum wrote:
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.

This patch resolves CVE-2014-7828.

https://fedorahosted.org/freeipa/ticket/4690
ACK.

We need to do release for 4.0 and 4.1 first thing tomorrow.
A possible workaround is to disable 2FA for users in mean time.



Pushed to:
master: 79df668b5df59813ffbb6192eecfb687bccbc0eb
ipa-4-1: a601daa0117c4991ae7e198cc864246c66d36f57
ipa-4-0: 013e2eae2041729d5ee6ad4dc825bc4f24234ec6
--
Petr Vobornik

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to