Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unexpected info returned to ldap request #4480

Closed
tbordaz opened this issue Dec 8, 2020 · 8 comments
Closed

Unexpected info returned to ldap request #4480

tbordaz opened this issue Dec 8, 2020 · 8 comments
Milestone

Comments

@tbordaz
Copy link
Contributor

tbordaz commented Dec 8, 2020

Issue Description
A ldap result can contain additional information. Such information should not allow a client application to guess if an entry exists or not

Package Version and Platform:
This bug impacts all release after 1.4.2.3

Steps to Reproduce
to be provided with an automatic testcase

Expected results
A ldap request should not provide any tips if an entry exists or not

@tbordaz tbordaz added the needs triage The issue will be triaged during scrum label Dec 8, 2020
tbordaz added a commit to tbordaz/389-ds-base that referenced this issue Dec 10, 2020
Bug description:
	If the bind entry does not exist, the bind result info
        reports that 'No such entry'. It should not give any
        information if the target entry exists or not

Fix description:
	Does not return any additional information during a bind

relates: 389ds#4480

Reviewed by:

Platforms tested:  F31
@tbordaz tbordaz added this to the 1.4.3 milestone Dec 10, 2020
@tbordaz tbordaz removed the needs triage The issue will be triaged during scrum label Dec 10, 2020
tbordaz added a commit to tbordaz/389-ds-base that referenced this issue Dec 16, 2020
Bug description:
	If the bind entry does not exist, the bind result info
        reports that 'No such entry'. It should not give any
        information if the target entry exists or not

Fix description:
	Does not return any additional information during a bind

relates: 389ds#4480

Reviewed by: William Brown, Viktor Ashirov

Platforms tested:  F31
tbordaz added a commit to tbordaz/389-ds-base that referenced this issue Dec 16, 2020
Bug description:
	If the bind entry does not exist, the bind result info
        reports that 'No such entry'. It should not give any
        information if the target entry exists or not

Fix description:
	Does not return any additional information during a bind

relates: 389ds#4480

Reviewed by: William Brown, Viktor Ashirov, Mark Reynolds (thank you all)

Platforms tested:  F31
tbordaz added a commit that referenced this issue Dec 16, 2020
Bug description:
	If the bind entry does not exist, the bind result info
        reports that 'No such entry'. It should not give any
        information if the target entry exists or not

Fix description:
	Does not return any additional information during a bind

relates: #4480

Reviewed by: William Brown, Viktor Ashirov, Mark Reynolds (thank you all)

Platforms tested:  F31
tbordaz added a commit that referenced this issue Dec 16, 2020
Bug description:
	If the bind entry does not exist, the bind result info
        reports that 'No such entry'. It should not give any
        information if the target entry exists or not

Fix description:
	Does not return any additional information during a bind

relates: #4480

Reviewed by: William Brown, Viktor Ashirov, Mark Reynolds (thank you all)

Platforms tested:  F31
tbordaz added a commit that referenced this issue Dec 16, 2020
Bug description:
	If the bind entry does not exist, the bind result info
        reports that 'No such entry'. It should not give any
        information if the target entry exists or not

Fix description:
	Does not return any additional information during a bind

relates: #4480

Reviewed by: William Brown, Viktor Ashirov, Mark Reynolds (thank you all)

Platforms tested:  F31
@tbordaz
Copy link
Contributor Author

tbordaz commented Dec 16, 2020

0b08e6f..cc0f692 master
730b30f..38b97fa 389-ds-base-1.4.4
fe04093..c8e77b8 389-ds-base-1.4.3

@tbordaz tbordaz closed this as completed Dec 16, 2020
@mreynolds389
Copy link
Contributor

@tbordaz - does this also apply to 1.3.10 (RHEL 7.9)?

@tbordaz
Copy link
Contributor Author

tbordaz commented Dec 17, 2020

@mreynolds389 no it does not apply to 1.3.10 (RHEL 7.9) branch.
A side effect of #49476 (backend refactoring) create this bug. backend refactoring was not backported in 1.3.10

wladich pushed a commit to wladich/freeipa that referenced this issue Jan 15, 2021
Error reporting of 389ds was changed in
389ds/389-ds-base#4480 to return no
additional information about a failing bind (to avoid leaking information).

As a consequence, when an unauthorized user tries to perform
administrative task on IPA server the error message contains less info.

The assertion was changed to accept old and new variants of error message.
@carnil
Copy link

carnil commented Jan 22, 2021

@tbordaz

@mreynolds389 no it does not apply to 1.3.10 (RHEL 7.9) branch.
A side effect of #49476 (backend refactoring) create this bug. backend refactoring was not backported in 1.3.10

Is there reference #49476 above correct.

Trying to check which Debian releases are currently affected by this issue.

@tbordaz
Copy link
Contributor Author

tbordaz commented Jan 22, 2021

@carnil, this issue was a side effect of #2535 (former pagure #49476). #2535 was applied on 1.4.x branch only. So #4480 does not impact 1.3.x nor 1.2.11 branches.

@carnil
Copy link

carnil commented Jan 22, 2021

@carnil, this issue was a side effect of #2535 (former pagure #49476). #2535 was applied on 1.4.x branch only. So #4480 does not impact 1.3.x nor 1.2.11 branches.

@tbordaz: thank you! So we (in Debian) need to only additionally check the 1.4.0.21-1 version we have. Older suites have 1.3.x based and the current unstable was updated to 1.4.4.10 which has the fix.

@Firstyear
Copy link
Contributor

@carnil will the 1.4.4.x updates be put into current stable? It would be good to see debian updated here. Thanks,

mreynolds389 pushed a commit that referenced this issue Jan 28, 2021
Bug description:
	If the bind entry does not exist, the bind result info
        reports that 'No such entry'. It should not give any
        information if the target entry exists or not

Fix description:
	Does not return any additional information during a bind

relates: #4480

Reviewed by: William Brown, Viktor Ashirov, Mark Reynolds (thank you all)

Platforms tested:  F31
@tbordaz
Copy link
Contributor Author

tbordaz commented Apr 12, 2021

b2c6764..16d9020 1.4.2

and add testcase

d5fd49f..39891cd 389-ds-base-1.4.2

@tbordaz tbordaz modified the milestones: 1.4.3, 1.4.2 Apr 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants