tag 876404 + pending
Some bugs in the golang-github-go-ldap-ldap package are closed in
revision e357b3fd4067f7b070a2031bdf9d3ae91ca00278 in branch '
stretch' by Dr. Tobias Quathamer
The full diff can be seen at
Require explicit intention for empty password.
This is normally used for unauthenticated bind, and
> Clients SHOULD disallow an empty password input to a Name/Password
> Authentication user interface
This is (mostly) a cherry-pick of 95ede12 from upstream. I've removed
the bit in ldap_test.go, which is unrelated to the security issue.
This fixes CVE-2017-14623.
Pkg-go-maintainers mailing list