Re: BUG #10680: LDAP bind password leaks to log on failed authentication

On Mon, Jun 23, 2014 at 10:26 PM, Steven Siebert <smsiebe@gmail.com> wrote:

> Thanks for the continued discussion on this issue.
>
> It seems like, generally, fixing this vulnerability is getting a green
> light.
>
> I wouldn't mind re-working the patch for this bug if I knew the
> consensus on the preferred implementation.  As I mentioned previously,
> I'm new here, so how do I go about soliciting "votes" (or otherwise)
> the preferred approach so that I may move forward.
>

I think the current summary is that "option c" is the one that people would
accept if you submit it (provided the regular caveats about it being
correctly implemented etc, of course). It should of course cover other
potentially sensitive fields as well (such as the radius encryption key).

If you implement a patch for that option, I will be happy to review and
apply it.

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/