Require explicit intention for empty password.
This is normally used for unauthenticated bind, and https://tools.ietf.org/html/rfc4513#section-5.1.2 recommends: > Clients SHOULD disallow an empty password input to a Name/Password > Authentication user interface This is (mostly) a cherry-pick of 95ede12 from upstream. I've removed the bit in ldap_test.go, which is unrelated to the security issue. This fixes CVE-2017-14623. https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66 Closes: #876404
parent
9f19cec1
Please register or sign in to comment