[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8572) FOR INFO ONLY: SASL SCRAM-SHA-1 authz may fail incorrectly

To: openldap-its@OpenLDAP.org
Subject: (ITS#8572) FOR INFO ONLY: SASL SCRAM-SHA-1 authz may fail incorrectly
From: william.b.clay@acm.org
Date: Thu, 19 Jan 2017 08:55:09 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Bill Clay
Version: 2.4.44
OS: Debian/GNU Linux 7.8 (Wheezy)
URL: 
Submission from: (NULL) (79.12.44.250)


Cyrus SASL 2.1.26 plugins/scram.c decode_saslname() may return a corrupt authz
name.

SASL SCRAM-SHA-1 auth with a "dn:" style authzID can return an authzID string
with trailing original (escaped) characters appended.  slapd may then
incorrectly deny the requested proxy authorization because the returned value
may fail match criteria that a correctly-decoded SASL name would pass. (There
may be other SASL SCRAM scenarios in which this flaw would produce incorrect
results.)

Cyrus SASL issue: https://github.com/cyrusimap/cyrus-sasl/issues/416

Prev by Date: (ITS#8571) Added a test for pcache + ldap backen with proxyauthz
Next by Date: Re: (ITS#8572) FOR INFO ONLY: SASL SCRAM-SHA-1 authz may fail incorrectly
Index(es):
- Chronological
- Thread