[Freeipa-devel] [PATCH 0076] Ensure that a password exists after OTP validation
Petr Vobornik
pvoborni at redhat.com
Thu Nov 6 10:00:06 UTC 2014
On 5.11.2014 21:22, Alexander Bokovoy wrote:
> On Wed, 05 Nov 2014, Nathaniel McCallum wrote:
>> Before this patch users could log in using only the OTP value. This
>> arose because ipapwd_authentication() successfully determined that
>> an empty password was invalid, but 389 itself would see this as an
>> anonymous bind. An anonymous bind would never even get this far in
>> this code, so we simply deny requests with empty passwords.
>>
>> This patch resolves CVE-2014-7828.
>>
>> https://fedorahosted.org/freeipa/ticket/4690
> ACK.
>
> We need to do release for 4.0 and 4.1 first thing tomorrow.
> A possible workaround is to disable 2FA for users in mean time.
>
>
Pushed to:
master: 79df668b5df59813ffbb6192eecfb687bccbc0eb
ipa-4-1: a601daa0117c4991ae7e198cc864246c66d36f57
ipa-4-0: 013e2eae2041729d5ee6ad4dc825bc4f24234ec6
--
Petr Vobornik
More information about the Freeipa-devel
mailing list