oss-sec mailing list archives
CVE request (Debian specific): slapd: dangerous access rule in default config
From: Yves-Alexis Perez <corsac () debian org>
Date: Sat, 28 Mar 2015 23:52:12 +0100
Hi, Debian bug #761406 was fixed in Debian sid some time ago, but no CVE was assigned. In order to raise some exposure, and make sure admins check/fix their config, we'll issue a DSA, so I'm requesting a CVE for this. The problem is that by default LDAP users have write access to their own attributes. If LDAP is used to grant permissions, and those permissions are stored as user attributes (for example by using the ou), then an user can modify its own permissions, which is usually not wanted. It's a Debian specific issue, but the OpenLDAP documentation [2] actually recommends something like that. Thanks in advance, [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406 [2]: http://www.openldap.org/doc/admin24/guide.html#Basic ACLs -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE request (Debian specific): slapd: dangerous access rule in default config Yves-Alexis Perez (Mar 28)