-
Notifications
You must be signed in to change notification settings - Fork 85
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bug 1347760 - CVE-2016-4992 389-ds-base: Information disclosure via r…
…epeated use of LDAP ADD operation, etc. Description: If a bind user has no rights, it should not disclose any information including the existence of the entry. Fix description: 1) ALREADY_EXISTS in add -- If to be added entry is found existing in ldbm_back_add, it checks the ACI and if there is no rights, it returns INSUFFICIENT_ACCESS instead of ALREADY_EXISTS. 2) NO_SUCH_OBJECT in other update operations -- If the target entry is found not existing, it checks the ancestor entry's access rights in find_entry. If it is not allowed to access the subtree, it returns INSUFFICIENT_ACCESS instead of NO_SUC_OBJECT. Plus, it supresses the "Matched" ancestor message. 3) NO_SUCH_OBJECT in search -- If a bind entry has no rights to read a subtree, it returns no search results with SUCCESS. It should be applied to the no existing subtree if the bind entry has no rights to the super tree. 4) If bind fails because of the non-existence of the bind user or the parent nodes, the bind returns LDAP_INVALID_CREDENTIALS to the client with no other information. The detailed cause is logged in the access log as follows: RESULT err=49 .. etime=0 - No such suffix (<given suffix>) RESULT err=49 .. etime=0 - Invalid credentials RESULT err=49 .. etime=0 - No such entry https://bugzilla.redhat.com/show_bug.cgi?id=1347760 Reviewed by lkrispen@redhat.com, mreynolds@redhat.com, and tbordaz@redhat.com. Thank you!!!
- Loading branch information
Showing
15 changed files
with
311 additions
and
114 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.