[rt-users] LDAP Overlay Security Patch

Jim Meyer purp at acm.org
Wed Jun 21 03:18:35 EDT 2006


Hello!

On 6/21/06, Malcolm Herbert <rt-users at mjch.net> wrote:
> On Tue, Jun 20, 2006 at 11:59:34PM -0700, Jim Meyer wrote:
> |Thanks to Walter Duncan, a critical security bug in the LDAP overlay's
> |account autocreation callback has been fixed. If you're using this
> |code, please update it from the wiki:
> |
> |   http://wiki.bestpractical.com/index.cgi?LdapAutocreateAuthCallback
> |
> |The bug, left unpatched, could allow user accounts to be compromised.
> |Please update as soon as possible.
>
> Can you tell us which versions of RT this will affect?  thanks

This affects any version of RT in which you've installed the LDAP
overlay found in the Best Practical wiki at
http://wiki.bestpractical.com/?LDAP. It is particular to the
recently-added Auth callback which autocreates user accounts; that
file (found at http://wiki.bestpractical.com/?LdapAutocreateAuthCallback)
is the only piece of the overlay which must be updated to patchi this
bug.

This bug is not inherent to RT itself; if you haven't installed the
LDAP overlay referenced above, this is not an issue for you.

Hope that's more clear!

--j
-- 
Jim Meyer, Geek at Large                                    purp at acm.org



More information about the rt-users mailing list