Your message dated Wed, 29 Nov 2017 13:33:52 +0000 with message-id <e1ek2uq-000bpa...@fasolo.debian.org> and subject line Bug#876404: fixed in golang-github-go-ldap-ldap 2.5.1-1 has caused the Debian Bug report #876404, regarding golang-github-go-ldap-ldap: CVE-2017-14623 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 876404: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876404 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: golang-github-go-ldap-ldap Version: 2.4.1-1 Severity: important Tags: patch upstream security Forwarded: https://github.com/go-ldap/ldap/pull/126 Hi, the following vulnerability was published for golang-github-go-ldap-ldap. CVE-2017-14623[0]: | In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker | may be able to login with an empty password. This issue affects an | application using this package if these conditions are met: (1) it | relies only on the return error of the Bind function call to determine | whether a user is authorized (i.e., a nil return value is interpreted | as successful authorization) and (2) it is used with an LDAP server | allowing unauthenticated bind. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14623 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14623 [1] https://github.com/go-ldap/ldap/pull/126 [2] https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: golang-github-go-ldap-ldap Source-Version: 2.5.1-1 We believe that the bug you reported is fixed in the latest version of golang-github-go-ldap-ldap, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 876...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dr. Tobias Quathamer <to...@debian.org> (supplier of updated golang-github-go-ldap-ldap package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 29 Nov 2017 14:09:11 +0100 Source: golang-github-go-ldap-ldap Binary: golang-github-go-ldap-ldap-dev Architecture: source Version: 2.5.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org> Changed-By: Dr. Tobias Quathamer <to...@debian.org> Description: golang-github-go-ldap-ldap-dev - Basic LDAP v3 functionality for the Go programming language Closes: 876404 Changes: golang-github-go-ldap-ldap (2.5.1-1) unstable; urgency=medium . * Team upload. * New upstream version 2.5.1 - New patch: Require explicit intention for empty password. This is a cherry-pick of 95ede12 from upstream, which fixes CVE-2017-14623. (Closes: #876404) * Use debhelper v10 * Update team name * Update to Standards-Version 4.1.1 - Use HTTPS URL for d/copyright - Use Priority: optional * Use golang-any instead of golang-go * Update d/copyright * Use wrap-and-sort for d/control Checksums-Sha1: 620e36fa53bd2cdaa8e305cb7956d999c06b0894 2248 golang-github-go-ldap-ldap_2.5.1-1.dsc 9138c2d8abec31288e3a56b368f91dfb01628ae6 30968 golang-github-go-ldap-ldap_2.5.1.orig.tar.xz fa0fa7b66ee7dd2976eb86088fa662cdfb74ef55 5480 golang-github-go-ldap-ldap_2.5.1-1.debian.tar.xz 1f401c24d3598aeff92775e43b36fc9bab500ca0 5607 golang-github-go-ldap-ldap_2.5.1-1_amd64.buildinfo Checksums-Sha256: 321651970608023b0f50f51ee02b9f30335c0ba60fbb3b38e82c44a698791965 2248 golang-github-go-ldap-ldap_2.5.1-1.dsc 0d0ed93954ba9e36984064071c7dc4c1b6d807d834c7e7ef895f9cf8eeb83a30 30968 golang-github-go-ldap-ldap_2.5.1.orig.tar.xz 026512aae35bbd716a3612dc86094fa32896eca604fef1c861da5eefb94c1c62 5480 golang-github-go-ldap-ldap_2.5.1-1.debian.tar.xz 98c2b6e3eb4de176653805f397354b4da497af16756d80ceb4bff41adadb6974 5607 golang-github-go-ldap-ldap_2.5.1-1_amd64.buildinfo Files: d82f46c01c5042fc438c894e5ebd3ffe 2248 devel optional golang-github-go-ldap-ldap_2.5.1-1.dsc e3bbd3a731ec3c96e174b5aee76d101a 30968 devel optional golang-github-go-ldap-ldap_2.5.1.orig.tar.xz ebc50b664507b27d8d1a83a734300c05 5480 devel optional golang-github-go-ldap-ldap_2.5.1-1.debian.tar.xz b34785bd65395843a31cb02697f389e0 5607 devel optional golang-github-go-ldap-ldap_2.5.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAloesqoACgkQEwLx8Dbr 6xllgA/+L9jQij1BO4C7jmCLROkjkIx9W9fJxddOeGSoQLqdtdtEqcEuJRqGuCg0 bqJLtQBPFk68JDHSOoc9FGfayUT2i3ywYLQ6KUDyC+u75Awl/4QdnJlbODImf6Ce 0jZXxIpDxEgJ0WQ4hY8HPyDIyb8yGP2bvcic/VzljeXjlZMtlivj3G/hISsKYQn5 6EXV4iI37dikWaRZDUgBMa/xgJn4ycCxl/MksxDoshGmEtgjrHCwZsO+J+7Lk6ed bconzqVzuaezlmUAOblSA8Awd4u21oLE0HOSKA6i6C/nMseVayB0nW6wHF+ytBMb QEmUulM+BxpJhjdWCWRZyTUH6YkRlIwTZfHelMhpzaRRmtg05l8wFubmb+/LXDSK 1nilgHYSWeZdM9hzgmNz2JiSHVwfuF87PFUOP9dnJ3YimfsUgLpbVVUbp6SwhRay PBW31dJA3Mhu+Bvm3v/w3RZGNqu1JGePFcRJ+PLeK22Q3a07vgslq/5amldhm3P+ eyEc72MUTgwLUQWgpCRq64dJb5kRlbQKFbx4cminJf5SmbtcNxOtSi+DtoT1Cvqv 4iz2ZeVeecCIWPzWchrKk+ytpNw4UbA8Rp2ub09eKrr6A0bV69GcSXKj06dVWBf+ bAwJsjmMu/41hS3AsJs1+jSaXvlFpPYp53jilQUYUjS+Vnrp1JM= =GoOa -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Pkg-go-maintainers mailing list Pkg-go-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers
