| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Steven Siebert <smsiebe(at)gmail(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |
| Date: | 2014-06-23 20:35:33 |
| Message-ID: | CABUevEziycN8irGudCg+DW0MY-afwbEjDR0ODGO9Rz9Sm9wSRQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Mon, Jun 23, 2014 at 10:26 PM, Steven Siebert <smsiebe(at)gmail(dot)com> wrote:
> Thanks for the continued discussion on this issue.
>
> It seems like, generally, fixing this vulnerability is getting a green
> light.
>
> I wouldn't mind re-working the patch for this bug if I knew the
> consensus on the preferred implementation. As I mentioned previously,
> I'm new here, so how do I go about soliciting "votes" (or otherwise)
> the preferred approach so that I may move forward.
>
I think the current summary is that "option c" is the one that people would
accept if you submit it (provided the regular caveats about it being
correctly implemented etc, of course). It should of course cover other
potentially sensitive fields as well (such as the radius encryption key).
If you implement a patch for that option, I will be happy to review and
apply it.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Steven Siebert | 2014-06-23 20:42:24 | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |
| Previous Message | Steven Siebert | 2014-06-23 20:26:25 | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |