From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Steven Siebert <smsiebe(at)gmail(dot)com> |
Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
Subject: | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |
Date: | 2014-10-11 18:35:35 |
Message-ID: | 20141011183535.GA21267@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
Was any progress made on this, the reporting of LDAP/RADIUS passwords in
our server logs?
---------------------------------------------------------------------------
On Mon, Jun 23, 2014 at 04:42:24PM -0400, Steven Siebert wrote:
> Thanks Magnus =) I'll move forward with this guidance.
>
>
> On Mon, Jun 23, 2014 at 4:35 PM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> > On Mon, Jun 23, 2014 at 10:26 PM, Steven Siebert <smsiebe(at)gmail(dot)com> wrote:
> >>
> >> Thanks for the continued discussion on this issue.
> >>
> >> It seems like, generally, fixing this vulnerability is getting a green
> >> light.
> >>
> >> I wouldn't mind re-working the patch for this bug if I knew the
> >> consensus on the preferred implementation. As I mentioned previously,
> >> I'm new here, so how do I go about soliciting "votes" (or otherwise)
> >> the preferred approach so that I may move forward.
> >
> >
> > I think the current summary is that "option c" is the one that people would
> > accept if you submit it (provided the regular caveats about it being
> > correctly implemented etc, of course). It should of course cover other
> > potentially sensitive fields as well (such as the radius encryption key).
> >
> > If you implement a patch for that option, I will be happy to review and
> > apply it.
> >
> > --
> > Magnus Hagander
> > Me: http://www.hagander.net/
> > Work: http://www.redpill-linpro.com/
>
>
> --
> Sent via pgsql-bugs mailing list (pgsql-bugs(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-bugs
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2014-10-11 18:56:20 | Re: BUG #10701: pg_dumpall.exe adds 0x0d to table comments |
Previous Message | Eric Hill | 2014-10-11 17:28:26 | Re: [BUGS] BUG #11608: ODBC driver crashes after wrong password entered |