Re: BUG #10680: LDAP bind password leaks to log on failed authentication

Thanks Magnus =)  I'll move forward with this guidance.


On Mon, Jun 23, 2014 at 4:35 PM, Magnus Hagander <magnus@hagander.net> wrote:
> On Mon, Jun 23, 2014 at 10:26 PM, Steven Siebert <smsiebe@gmail.com> wrote:
>>
>> Thanks for the continued discussion on this issue.
>>
>> It seems like, generally, fixing this vulnerability is getting a green
>> light.
>>
>> I wouldn't mind re-working the patch for this bug if I knew the
>> consensus on the preferred implementation.  As I mentioned previously,
>> I'm new here, so how do I go about soliciting "votes" (or otherwise)
>> the preferred approach so that I may move forward.
>
>
> I think the current summary is that "option c" is the one that people would
> accept if you submit it (provided the regular caveats about it being
> correctly implemented etc, of course). It should of course cover other
> potentially sensitive fields as well (such as the radius encryption key).
>
> If you implement a patch for that option, I will be happy to review and
> apply it.
>
> --
>  Magnus Hagander
>  Me: http://www.hagander.net/
>  Work: http://www.redpill-linpro.com/