Re: BUG #10680: LDAP bind password leaks to log on failed authentication
| От | Steven Siebert |
|---|---|
| Тема | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |
| Дата | |
| Msg-id | CAC3nzeidOUjEsF-dUYo_eDEMQqYMe0zWnc8RtirX8=vPoxAR5w@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: BUG #10680: LDAP bind password leaks to log on failed authentication (Bruce Momjian <bruce@momjian.us>) |
| Ответы |
Re: BUG #10680: LDAP bind password leaks to log on failed authentication
|
| Список | pgsql-bugs |
Dropped off my radar I'm afraid, but the customer is still quite interested in getting this fixed. What we finally worked out should be quick work, I'll throw up a patch tonight. Thanks for the ping! Thanks, S On Sat, Oct 11, 2014 at 2:35 PM, Bruce Momjian <bruce@momjian.us> wrote: > > Was any progress made on this, the reporting of LDAP/RADIUS passwords in > our server logs? > > --------------------------------------------------------------------------- > > On Mon, Jun 23, 2014 at 04:42:24PM -0400, Steven Siebert wrote: > > Thanks Magnus =) I'll move forward with this guidance. > > > > > > On Mon, Jun 23, 2014 at 4:35 PM, Magnus Hagander <magnus@hagander.net> > wrote: > > > On Mon, Jun 23, 2014 at 10:26 PM, Steven Siebert <smsiebe@gmail.com> > wrote: > > >> > > >> Thanks for the continued discussion on this issue. > > >> > > >> It seems like, generally, fixing this vulnerability is getting a green > > >> light. > > >> > > >> I wouldn't mind re-working the patch for this bug if I knew the > > >> consensus on the preferred implementation. As I mentioned previously, > > >> I'm new here, so how do I go about soliciting "votes" (or otherwise) > > >> the preferred approach so that I may move forward. > > > > > > > > > I think the current summary is that "option c" is the one that people > would > > > accept if you submit it (provided the regular caveats about it being > > > correctly implemented etc, of course). It should of course cover other > > > potentially sensitive fields as well (such as the radius encryption > key). > > > > > > If you implement a patch for that option, I will be happy to review and > > > apply it. > > > > > > -- > > > Magnus Hagander > > > Me: http://www.hagander.net/ > > > Work: http://www.redpill-linpro.com/ > > > > > > -- > > Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) > > To make changes to your subscription: > > http://www.postgresql.org/mailpref/pgsql-bugs > > -- > Bruce Momjian <bruce@momjian.us> http://momjian.us > EnterpriseDB http://enterprisedb.com > > + Everyone has their own god. + >
В списке pgsql-bugs по дате отправления: