[SECURITY] [DLA 1180-1] libspring-ldap-java security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1180-1] libspring-ldap-java security update
From: Markus Koschany <apo@debian.org>
Date: Sun, 19 Nov 2017 19:19:36 +0100
Message-id: <[🔎] 6933b616-b2ec-72a8-7fdc-a75ed5c29bcb@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : libspring-ldap-java
Version        : 1.3.1.RELEASE-4+deb7u1
CVE ID         : CVE-2017-8028

Tobias Schneider discovered that Spring-LDAP would allow authentication
with an arbitrary password when the username is correct, no additional
attributes are bound and when using LDAP BindAuthenticator with
DefaultTlsDirContextAuthenticationStrategy as the authentication
strategy and setting userSearch. This occurs because some LDAP vendors
require an explicit operation for the LDAP bind to take effect.

For Debian 7 "Wheezy", these problems have been fixed in version
1.3.1.RELEASE-4+deb7u1.

We recommend that you upgrade your libspring-ldap-java packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAloRyzdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTxkxAArS0/0/aSVJwtVI2fJ3kOxcIkMv74HDlVH9FM0ZawiMwSMBNzFSS/ci5w
PeWbHiLUWHg6/XXxNVXgtixRNlmtA+DOy6vVf7YfjxI49XAF3qWuqXZjIPFvzJ3Z
1RliyAqs6j3bWsavQ7FJkdy+3WgYTuA/k3FbP2kYYnn+jquudbWKhzm+aFnAzQRk
NTYYfaeyXIHzb2SYGPncovdWee1a6GvcFLwnUzNyQtp7QBWqEGwSHskBR4ZSJhp6
EP+QFAA1yiq5fjXx4YrLiIQtk3B3vzdxwJLuy30r/YU8RpaAHz0goQVQKDrs/Ei8
JIz6PUtEcYhBMuF61O+3FZMKZDYsIuN05ES/UZOQwAa1fjKCkt0poyWC4SKCULG2
5RyLopjrxf/sp2mGg9zDukXdZFV5vO1c1WEkuggXlQRdoCToKlaMOIj5Ts+Q/Sj9
4keNTYBSGR7mIofDNLOf5rcL2FHY1XfrRoHlU/Z8Zu5gatjfp4Pf01R28tSn3JKv
aqcFIL6UmsUfy8TP8T2p07+B+0KMfslO5/qZ7vPnODqrbZ7lh8fayivRyH//iH2a
2ntk/gBKhA3woHXRach3dnz0K8Z2UoyTxpud9xa0OqQO73SqyYOzMWNxMAwhzD5K
UMzEfTemTpkqxXzQHOBFJs6HcWe5sUk/PGJqXt8ADyrhzCaGk3Q=
=0qzu
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1179-1] shibboleth-sp2 security update
Next by Date: [SECURITY] [DLA 1181-1] xen security update
Previous by thread: [SECURITY] [DLA 1179-1] shibboleth-sp2 security update
Next by thread: [SECURITY] [DLA 1181-1] xen security update
Index(es):
- Date
- Thread