Security fix module ldapurl (was: ANN: python-ldap-2.0.0pre06)

Michael Ströder michael at
Wed Sep 25 10:12:32 CEST 2002

Peter Hawkins wrote:
>>- Security fix to module ldapurl
> Can you explain this more clearly? How severe is it?

If an application used the LDAP URL extensions bindname and X-BINDPW in 
prior versions the key-word arg 'extensions' for LDAPUrl._init__() was 
not newly initialized each time. This could in some cases reveal login 
information elsewhere through LDAP URLs generated with this module.

See also:

The follow-ups:

 > Which versions does it affect?

2.0.0pre05 and prior versions which contain module ldapurl.

 > Do I need to issue an advisory against my package?

Depends on your policy.

Ciao, Michael.

More information about the python-ldap mailing list