[Freeipa-devel] [PATCH 0076] Ensure that a password exists after OTP validation

Nathaniel McCallum npmccallum at redhat.com
Wed Nov 5 20:14:09 UTC 2014


Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.

This patch resolves CVE-2014-7828.

https://fedorahosted.org/freeipa/ticket/4690
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-npmccallum-0076-Ensure-that-a-password-exists-after-OTP-validation.patch
Type: text/x-patch
Size: 2650 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141105/664e1b37/attachment.bin>


More information about the Freeipa-devel mailing list