| From: | Steven Siebert <smsiebe(at)gmail(dot)com> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |
| Date: | 2014-10-12 00:44:24 |
| Message-ID: | CAC3nzeidOUjEsF-dUYo_eDEMQqYMe0zWnc8RtirX8=vPoxAR5w@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Dropped off my radar I'm afraid, but the customer is still quite interested
in getting this fixed. What we finally worked out should be quick work,
I'll throw up a patch tonight. Thanks for the ping!
Thanks,
S
On Sat, Oct 11, 2014 at 2:35 PM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>
> Was any progress made on this, the reporting of LDAP/RADIUS passwords in
> our server logs?
>
> ---------------------------------------------------------------------------
>
> On Mon, Jun 23, 2014 at 04:42:24PM -0400, Steven Siebert wrote:
> > Thanks Magnus =) I'll move forward with this guidance.
> >
> >
> > On Mon, Jun 23, 2014 at 4:35 PM, Magnus Hagander <magnus(at)hagander(dot)net>
> wrote:
> > > On Mon, Jun 23, 2014 at 10:26 PM, Steven Siebert <smsiebe(at)gmail(dot)com>
> wrote:
> > >>
> > >> Thanks for the continued discussion on this issue.
> > >>
> > >> It seems like, generally, fixing this vulnerability is getting a green
> > >> light.
> > >>
> > >> I wouldn't mind re-working the patch for this bug if I knew the
> > >> consensus on the preferred implementation. As I mentioned previously,
> > >> I'm new here, so how do I go about soliciting "votes" (or otherwise)
> > >> the preferred approach so that I may move forward.
> > >
> > >
> > > I think the current summary is that "option c" is the one that people
> would
> > > accept if you submit it (provided the regular caveats about it being
> > > correctly implemented etc, of course). It should of course cover other
> > > potentially sensitive fields as well (such as the radius encryption
> key).
> > >
> > > If you implement a patch for that option, I will be happy to review and
> > > apply it.
> > >
> > > --
> > > Magnus Hagander
> > > Me: http://www.hagander.net/
> > > Work: http://www.redpill-linpro.com/
> >
> >
> > --
> > Sent via pgsql-bugs mailing list (pgsql-bugs(at)postgresql(dot)org)
> > To make changes to your subscription:
> > http://www.postgresql.org/mailpref/pgsql-bugs
>
> --
> Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
> EnterpriseDB http://enterprisedb.com
>
> + Everyone has their own god. +
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Steven Siebert | 2014-10-12 18:40:37 | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |
| Previous Message | Andres Freund | 2014-10-11 21:47:14 | Re: BUG #11033: 'pg_dump -a' much slower than 'pg_dump' |