Package: golang-github-go-ldap-ldap / 2.4.1-1+deb9u1

Metadata

Package Version Patches format
golang-github-go-ldap-ldap 2.4.1-1+deb9u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
disable internet tests.patch | (download)

ldap_test.go | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 disable functional tests by default
 We are disabling this set of tests because they require
 internet connection. Users that still want to run them, maybe
 because they are working on this library, may still do so using
 the functional-ldap-tests build tag.
0002 Require explicit intention for empty password.patch | (download)

bind.go | 80 37 + 43 - 0 !
error.go | 9 9 + 0 - 0 !
2 files changed, 46 insertions(+), 43 deletions(-)

 require explicit intention for empty password.

This is normally used for unauthenticated bind, and
https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends:

> Clients SHOULD disallow an empty password input to a Name/Password
> Authentication user interface

This is (mostly) a cherry-pick of 95ede12 from upstream. I've removed
the bit in ldap_test.go, which is unrelated to the security issue.

This fixes CVE-2017-14623.

https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66