On Wed, 5 Nov 2014 22:22:16 +0200 Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Wed, 05 Nov 2014, Nathaniel McCallum wrote: > >Before this patch users could log in using only the OTP value. This > >arose because ipapwd_authentication() successfully determined that > >an empty password was invalid, but 389 itself would see this as an > >anonymous bind. An anonymous bind would never even get this far in > >this code, so we simply deny requests with empty passwords. > > > >This patch resolves CVE-2014-7828. > > > >https://fedorahosted.org/freeipa/ticket/4690 > ACK. Code sounds good, but I haven't tested it. > We need to do release for 4.0 and 4.1 first thing tomorrow. Yes. > A possible workaround is to disable 2FA for users in mean time. We should send a warning to freeipa-users mailing list that we are preparing a release and they should consider disabling 2FA ion the meanwhile if they are using it. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel