Package: golang-github-go-ldap-ldap / 2.5.1-4

Metadata

Package Version Patches format
golang-github-go-ldap-ldap 2.5.1-4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
disable internet tests.patch | (download)

ldap_test.go | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 disable-internet-tests


0002 Require explicit intention for empty password.patch | (download)

bind.go | 80 37 + 43 - 0 !
error.go | 2 2 + 0 - 0 !
ldap_test.go | 64 31 + 33 - 0 !
3 files changed, 70 insertions(+), 76 deletions(-)

 require explicit intention for empty password.

This is normally used for unauthenticated bind, and
https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends:

> Clients SHOULD disallow an empty password input to a Name/Password
> Authentication user interface

This is a cherry-pick of 95ede12 from upstream, which fixes CVE-2017-14623.

https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66