| From: | Steven Siebert <smsiebe(at)gmail(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |
| Date: | 2014-06-23 20:42:24 |
| Message-ID: | CAC3nzeitnG+3DthhAer3TF0OQO0-JsFWVB9iuXMqMCRz7aDmpw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Thanks Magnus =) I'll move forward with this guidance.
On Mon, Jun 23, 2014 at 4:35 PM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> On Mon, Jun 23, 2014 at 10:26 PM, Steven Siebert <smsiebe(at)gmail(dot)com> wrote:
>>
>> Thanks for the continued discussion on this issue.
>>
>> It seems like, generally, fixing this vulnerability is getting a green
>> light.
>>
>> I wouldn't mind re-working the patch for this bug if I knew the
>> consensus on the preferred implementation. As I mentioned previously,
>> I'm new here, so how do I go about soliciting "votes" (or otherwise)
>> the preferred approach so that I may move forward.
>
>
> I think the current summary is that "option c" is the one that people would
> accept if you submit it (provided the regular caveats about it being
> correctly implemented etc, of course). It should of course cover other
> potentially sensitive fields as well (such as the radius encryption key).
>
> If you implement a patch for that option, I will be happy to review and
> apply it.
>
> --
> Magnus Hagander
> Me: http://www.hagander.net/
> Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2014-06-23 23:34:08 | Re: [BUGS] BUG #10728: json_to_recordset with nested json objects NULLs columns |
| Previous Message | Magnus Hagander | 2014-06-23 20:35:33 | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |