Your message dated Sat, 09 Dec 2017 14:37:39 +0000 with message-id <e1engg3-0001ud...@fasolo.debian.org> and subject line Bug#876404: fixed in golang-github-go-ldap-ldap 2.4.1-1+deb9u1 has caused the Debian Bug report #876404, regarding golang-github-go-ldap-ldap: CVE-2017-14623 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 876404: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876404 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: golang-github-go-ldap-ldap Version: 2.4.1-1 Severity: important Tags: patch upstream security Forwarded: https://github.com/go-ldap/ldap/pull/126 Hi, the following vulnerability was published for golang-github-go-ldap-ldap. CVE-2017-14623[0]: | In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker | may be able to login with an empty password. This issue affects an | application using this package if these conditions are met: (1) it | relies only on the return error of the Bind function call to determine | whether a user is authorized (i.e., a nil return value is interpreted | as successful authorization) and (2) it is used with an LDAP server | allowing unauthenticated bind. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14623 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14623 [1] https://github.com/go-ldap/ldap/pull/126 [2] https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: golang-github-go-ldap-ldap Source-Version: 2.4.1-1+deb9u1 We believe that the bug you reported is fixed in the latest version of golang-github-go-ldap-ldap, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 876...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dr. Tobias Quathamer <to...@debian.org> (supplier of updated golang-github-go-ldap-ldap package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 29 Nov 2017 23:45:26 +0100 Source: golang-github-go-ldap-ldap Binary: golang-github-go-ldap-ldap-dev Architecture: source all Version: 2.4.1-1+deb9u1 Distribution: stretch Urgency: medium Maintainer: pkg-go <pkg-go-maintainers@lists.alioth.debian.org> Changed-By: Dr. Tobias Quathamer <to...@debian.org> Description: golang-github-go-ldap-ldap-dev - Basic LDAP v3 functionality for the Go programming language Closes: 876404 Changes: golang-github-go-ldap-ldap (2.4.1-1+deb9u1) stretch; urgency=medium . * Team upload. * Require explicit intention for empty password. This is normally used for unauthenticated bind, and https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends: "Clients SHOULD disallow an empty password input to a Name/Password Authentication user interface" This is (mostly) a cherry-pick of 95ede12 from upstream, except the bit in ldap_test.go, which is unrelated to the security issue. This fixes CVE-2017-14623. (Closes: #876404) Checksums-Sha1: ea84eca5b7aa9fee4f9bb3e1a95158d9f2c56b52 2223 golang-github-go-ldap-ldap_2.4.1-1+deb9u1.dsc fff71768d88342f57aabf4d33102950b1755b04b 33674 golang-github-go-ldap-ldap_2.4.1.orig.tar.gz e67aff5db4ddaf4535e747bec504a196a819c3ab 4620 golang-github-go-ldap-ldap_2.4.1-1+deb9u1.debian.tar.xz 71b9526f76fad2fefafaa508d8c41a99b76b641e 30570 golang-github-go-ldap-ldap-dev_2.4.1-1+deb9u1_all.deb e0a332f868ab66f53c947776f76edfe29eceb78e 5883 golang-github-go-ldap-ldap_2.4.1-1+deb9u1_amd64.buildinfo Checksums-Sha256: ef955905738d97ee3e80273012e2646dbbc919f14b1eeb4f8c7d4ca5b9ab0ac5 2223 golang-github-go-ldap-ldap_2.4.1-1+deb9u1.dsc 958d8cd684b0578ca16289bcbdcfa25018e7af4c08eb7adc99a5f5a541b29c29 33674 golang-github-go-ldap-ldap_2.4.1.orig.tar.gz 5ed5655409eddf8b0f9df20689cf67a4fdaeee410955721f59cadd498932f118 4620 golang-github-go-ldap-ldap_2.4.1-1+deb9u1.debian.tar.xz 1bb686072f3b8186c2b917b789f33f59bb2e98c80f551bebbcf5ddc84267435d 30570 golang-github-go-ldap-ldap-dev_2.4.1-1+deb9u1_all.deb 74c44af6ac520976917793b2d08fb7b49cf226d8510ddae3e5370fd923aa681c 5883 golang-github-go-ldap-ldap_2.4.1-1+deb9u1_amd64.buildinfo Files: 416725ba71351016c4827c8493c0a326 2223 devel extra golang-github-go-ldap-ldap_2.4.1-1+deb9u1.dsc 9b92afe3a5658d017c68ade126fdf68e 33674 devel extra golang-github-go-ldap-ldap_2.4.1.orig.tar.gz 0426918d62c841a260b4708ddf1c7b66 4620 devel extra golang-github-go-ldap-ldap_2.4.1-1+deb9u1.debian.tar.xz d9cc19be2c741be84a8a3cc52b7491fb 30570 devel extra golang-github-go-ldap-ldap-dev_2.4.1-1+deb9u1_all.deb f7eadcf8bae23929f7260d80bb49c431 5883 devel extra golang-github-go-ldap-ldap_2.4.1-1+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAlokSooACgkQEwLx8Dbr 6xm1eQ/+K3IzgqAD65X9G9eFfLdG74ogI3Ey7eifjZJVgp1CyRyje1CeYjufVXu6 AasK8FGddR4KV4t0bWE35/jmlfnCzPYdrR5GYB4Q84l+XIkngt6GNCQcSpHACvzU Wo9hz6BGGf9en/M+tJgwQdvS2M+ixIhVM3efkQmLk61EySa+a9eFtrso0hGLcDnm PLSZVGIMo4rqPhOv+7tIrKXdjiOyPR4KxqJvzjH69WCkhwhKRmhG7jSAd15Rkgv/ v/SVbMSXqZrhrCuAvsGETu/c78ibWs3FbqsBPVx2bON8vo+GhnSf4alBk9CxY6gG bqiHLi1827ddzfWVJCN3V4XUKkmLLFizZGvHJmEP7/CSTRLmn0v5Jn+Uvn6pMrpc 71+f5hWOvfh0RiToD/B+0c32RINhrli7X1Q3Uv2Kh6BXfZk+nP1UBLW3l3zuMKa1 z4GnKwC98qrxtL6/Kz4kYhvs8EszQ6uhGHHVFWGUHOlAyEJ9UqVxiKWNr17ZodWG IDqnIlj4l6czzlbQHUnsBPx1Wx6Wr3gpEFbsN8EJ+0pXg+czyhaxZu8DFfH11HJM 2cb9qZkQlcMGQahT0c8gQFmjb8FzB/MSGgiKa2YLH+ORwMCSvpLqFcupCOSYZg7p 7OlTaEimjZzjamCTIAdOlUf2k/XcRidn9NHf/yz3XL77fKmcPZ8= =8crU -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Pkg-go-maintainers mailing list Pkg-go-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers
