Security fix module ldapurl (was: ANN: python-ldap-2.0.0pre06)
michael at stroeder.com
Wed Sep 25 10:12:32 CEST 2002
Peter Hawkins wrote:
>>- Security fix to module ldapurl
> Can you explain this more clearly? How severe is it?
If an application used the LDAP URL extensions bindname and X-BINDPW in
prior versions the key-word arg 'extensions' for LDAPUrl._init__() was
not newly initialized each time. This could in some cases reveal login
information elsewhere through LDAP URLs generated with this module.
> Which versions does it affect?
2.0.0pre05 and prior versions which contain module ldapurl.
> Do I need to issue an advisory against my package?
Depends on your policy.
More information about the python-ldap