[SECURITY] [DLA 79-1] dokuwiki security update

To: Debian LTS announces <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 79-1] dokuwiki security update
From: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Date: Wed, 29 Oct 2014 15:44:59 +0100
Message-id: <[🔎] 20141029144459.GA1959@ortolo.eu>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

Package        : dokuwiki
Version        : 0.0.20091225c-10+squeeze3
CVE ID         : CVE-2014-8763 CVE-2014-8764
Debian Bug     : 766545

This fixes a possibility of bypasswing the wiki authentication when an Active
Directory is used for LDAP authentication. These two CVE are almost the same,
one apparently being a superset of the other. They are fixed together.

CVE-2014-8763

    DokuWiki before 2014-05-05b, when using Active Directory for LDAP
    authentication, allows remote attackers to bypass authentication via a
    password starting with a null (\0) character and a valid user name, which
    triggers an unauthenticated bind.

CVE-2014-8764

    DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP
    authentication, allows remote attackers to bypass authentication via a
    user name and password starting with a null (\0) character, which triggers
    an anonymous bind.

--
 ,--.
: /` )   ن Tanguy Ortolo    <xmpp:tanguy@ortolo.eu>
| `-'    Debian Developer   <irc://irc.oftc.net/Tanguy>
 \_

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: [SECURITY] [DLA 58-3] apt robustness improvements
Next by Date: [SECURITY] [DLA 80-1] libxml2 security update
Previous by thread: [SECURITY] [DLA 58-3] apt robustness improvements
Next by thread: [SECURITY] [DLA 80-1] libxml2 security update
Index(es):
- Date
- Thread