summaryrefslogtreecommitdiffstats
path: root/API.txt
diff options
context:
space:
mode:
authorNathaniel McCallum <npmccallum@redhat.com>2014-11-05 13:50:41 -0500
committerPetr Vobornik <pvoborni@redhat.com>2014-11-06 10:56:19 +0100
commit79df668b5df59813ffbb6192eecfb687bccbc0eb (patch)
tree16adc3b29fab5b4b1c978356e3ac74158f5c11bc /API.txt
parent730f33680b7254622659eec2e48399ef7033a477 (diff)
downloadfreeipa-79df668b5df59813ffbb6192eecfb687bccbc0eb.tar.gz
freeipa-79df668b5df59813ffbb6192eecfb687bccbc0eb.tar.xz
freeipa-79df668b5df59813ffbb6192eecfb687bccbc0eb.zip
Ensure that a password exists after OTP validation
Before this patch users could log in using only the OTP value. This arose because ipapwd_authentication() successfully determined that an empty password was invalid, but 389 itself would see this as an anonymous bind. An anonymous bind would never even get this far in this code, so we simply deny requests with empty passwords. This patch resolves CVE-2014-7828. https://fedorahosted.org/freeipa/ticket/4690 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'API.txt')
0 files changed, 0 insertions, 0 deletions
generated by cgit (git 2.34.1) at 2026-01-09 09:12:20 +0000