[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ITS#8866 (was: ITS review 6/14/2019)
- To: Howard Chu <hyc@symas.com>, openldap-devel@openldap.org
- Subject: Re: ITS#8866 (was: ITS review 6/14/2019)
- From: Michael Ströder <michael@stroeder.com>
- Date: Thu, 27 Jun 2019 18:28:19 +0200
- Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= mQENBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAG0J01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPokBNwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIuQENBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAGJAR8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
- In-reply-to: <8af78261-f4dc-4512-ada7-2d1f5d032c61@stroeder.com>
- Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
- References: <75C436AED8239707278A1D62@[192.168.1.39]> <748a7925-8b5c-7bbd-9dd4-cafd4e65b3c8@stroeder.com> <dc97ce2b-8425-9d36-fac2-107a5ca63f63@symas.com> <8af78261-f4dc-4512-ada7-2d1f5d032c61@stroeder.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
On 6/27/19 6:23 PM, Michael Ströder wrote:
> On 6/27/19 6:18 PM, Howard Chu wrote:
>> Michael Ströder wrote:
>>> On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
>>>> Thanks to Ondrej, this list is a bit shorter now. :)
>>>
>>> But one more I'd love to see in 2.4.48:
>>>
>>> ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
>>>
>>> https://www.openldap.org/its/index.cgi?findid=8866
>>
>> I don't believe the information disclosure issues have been
>> sufficiently answered there. Overall it's a bad idea and goes against
>> our standing policy of minimal disclosure.
> Sorry, you already have the disclosure.
>
> Citing from my old e-mail found here:
> https://www.openldap.org/lists/openldap-devel/201711/msg00003.html
>
>> But this problem exists anyway because an attacker can probe
>> values by adding entries with non-unique attributes and determine
>> whether an attribute value exists or not by distinguishing the result
>> code constraintViolation(19) vs. insufficientAccessRights(50).
>> Even worse this even works in case the attacker does not have read
>> access anywhere!
Furthermore the security of a system should not rely on confidentiality
of the configuration. E.g. with Æ-DIR the config is publicly known.
Also note I'm usually blamed for making directory contents too confidential.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature