Howard Chu wrote: > [email protected] wrote: >> Full_Name: Ryan Tandy >> Version: master (7df548d), RE24 (2b14bbc) >> OS: Debian unstable >> URL: >> Submission from: (NULL) (142.32.208.227) >> >> >> If you use the deref control but leave the list of requested attributes >> empty, >> slapd crashes. >> >> ldapsearch [...] -E deref=member: > >> The ldapsearch manpage implies this probably isn't valid, but it still >> accepted >> it. (FWIW, I tried it just to see whether it would return all attributes or >> none.) I couldn't tell from draft-ldap-deref-00 whether an empty attr list is >> considered a valid request. >> > Patched in master to reject a request with an empty attr list. > For future reference, this was registered as CVE-2015-1545.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
