Publishing details
Changelog
golang-github-go-ldap-ldap (2.4.1-1+deb9u1) stretch; urgency=medium
* Team upload.
* Require explicit intention for empty password.
This is normally used for unauthenticated bind, and
https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends:
"Clients SHOULD disallow an empty password input to a Name/Password
Authentication user interface"
This is (mostly) a cherry-pick of 95ede12 from upstream, except
the bit in ldap_test.go, which is unrelated to the security issue.
This fixes CVE-2017-14623. (Closes: #876404)
-- Dr. Tobias Quathamer <email address hidden> Wed, 29 Nov 2017 23:45:26 +0100
Builds
Package files