Security fix module ldapurl (was: ANN: python-ldap-2.0.0pre06)
Michael Ströder
michael at stroeder.com
Wed Sep 25 10:12:32 CEST 2002
Peter Hawkins wrote:
>>- Security fix to module ldapurl
>
> Can you explain this more clearly? How severe is it?
If an application used the LDAP URL extensions bindname and X-BINDPW in
prior versions the key-word arg 'extensions' for LDAPUrl._init__() was
not newly initialized each time. This could in some cases reveal login
information elsewhere through LDAP URLs generated with this module.
See also:
http://www.geocrawler.com/lists/3/SourceForge/1568/0/9527098/
The follow-ups:
http://www.geocrawler.com/lists/3/SourceForge/1568/0/9527860/
http://www.geocrawler.com/lists/3/SourceForge/1568/0/9527887/
http://www.geocrawler.com/lists/3/SourceForge/1568/0/9533130/
> Which versions does it affect?
2.0.0pre05 and prior versions which contain module ldapurl.
> Do I need to issue an advisory against my package?
Depends on your policy.
Ciao, Michael.
More information about the python-ldap
mailing list